Loki
Like Prometheus, but for logs
| Type | object | null |
|---|---|
| File match |
loki.yml
loki.yaml
|
| Schema URL | https://catalog.lintel.tools/schemas/schemastore/loki/latest.json |
| Source | https://www.schemastore.org/loki.json |
Validate with Lintel
npx @lintel/lintel checkProperties
A comma-separated list of components to run. The default value 'all' runs Loki in single binary mode. The value 'read' is an alias to run only read-path related components such as the querier and query-frontend, but all in the same process. The value 'write' is an alias to run only write-path related components such as the distributor and compactor, but all in the same process. Supported values: all, compactor, distributor, ingester, querier, query-scheduler, ingester-querier, query-frontend, index-gateway, ruler, table-manager, read, write. A full list of available targets can be printed when running Loki with the '-list-targets' command line flag.
Enables authentication through the X-Scope-OrgID header, which must be present if true. If false, the OrgID will always be set to 'fake'.
The amount of virtual memory in bytes to reserve as ballast in order to optimize garbage collection. Larger ballasts result in fewer garbage collection passes, reducing CPU overhead at the cost of heap size. The ballast will not consume physical memory, because it is never read from. It will, however, distort metrics, because it is counted as live memory. Default: 0.
40 nested properties
HTTP server listen network, default tcp
HTTP server listen address.
HTTP server listen port. Default: 3100.
Maximum number of simultaneous http connections, <=0 to disable. Default: 0.
gRPC server listen network
gRPC server listen address.
gRPC server listen port. Default: 9095.
Maximum number of simultaneous grpc connections, <=0 to disable. Default: 0.
Comma-separated list of cipher suites to use. If blank, the default Go cipher suites is used.
Minimum TLS version to use. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. If blank, the Go TLS minimum version is used.
7 nested properties
Server TLS certificate. This configuration parameter is YAML only.
Server TLS key. This configuration parameter is YAML only.
Root certificate authority used to verify client certificates. This configuration parameter is YAML only.
HTTP server cert path.
HTTP server key path.
HTTP TLS Client Auth type.
HTTP TLS Client CA path.
7 nested properties
Server TLS certificate. This configuration parameter is YAML only.
Server TLS key. This configuration parameter is YAML only.
Root certificate authority used to verify client certificates. This configuration parameter is YAML only.
GRPC TLS server cert path.
GRPC TLS server key path.
GRPC TLS Client Auth type.
GRPC TLS Client CA path.
Register the instrumentation handlers (/metrics etc).
If set to true, gRPC statuses will be reported in instrumentation labels with their string representations. Otherwise, they will be reported as "error".
Timeout for graceful shutdowns
Read timeout for entire HTTP request, including headers and body.
Read timeout for HTTP request headers. If set to 0, value of -server.http-read-timeout is used.
Write timeout for HTTP server
Idle timeout for HTTP server
Log closed connections that did not receive any response, most likely because client didn't send any request within timeout.
Limit on the size of a gRPC message this server can receive (bytes). Default: 4194304.
Limit on the size of a gRPC message this server can send (bytes). Default: 4194304.
Limit on the number of concurrent streams for gRPC calls per client connection (0 = unlimited). Default: 100.
The duration after which an idle connection should be closed. Default: infinity
The duration for the maximum amount of time a connection may exist before it will be closed. Default: infinity
An additive period after max-connection-age after which the connection will be forcibly closed. Default: infinity
Duration after which a keepalive probe is sent in case of no activity over the connection., Default: 2h
After having pinged for keepalive check, the duration after which an idle connection should be closed, Default: 20s
Minimum amount of time a client should wait before sending a keepalive ping. If client sends keepalive ping more often, server will send GOAWAY and close the connection.
If true, server allows keepalive pings even when there are no active streams(RPCs). If false, and client sends ping when there are no active streams, server will send GOAWAY and close the connection.
If non-zero, configures the amount of GRPC server workers used to serve the requests. Default: 0.
Output log messages in the given format. Valid formats: [logfmt, json]
Only log messages with the given severity or above. Valid levels: [debug, info, warn, error]
Optionally log the source IPs.
Header field storing the source IPs. Only used if server.log-source-ips-enabled is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For headers are used
Regex for matching the source IPs. Only used if server.log-source-ips-enabled is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For headers are used
Optionally log request headers.
Optionally log requests at info level instead of debug level. Applies to request headers as well if server.log-request-headers is enabled.
Comma separated list of headers to exclude from logging. Only used if server.log-request-headers is true.
Base path to serve all API routes from (e.g. /v1/)
4 nested properties
4 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which distributors are considered unhealthy within the ring. 0 = never (timeout disabled).
Name of network interface to read address from.
4 nested properties
The max number of concurrent requests to make to ingester stream apis. Default: 200.
The interval on which distributors will update current stream rates from ingesters
Timeout for communication between distributors and any given ingester when updating rates
If enabled, detailed logs and spans will be emitted.
Customize the logging of write failures.
2 nested properties
Log volume allowed (per second). Default: 1KB. Default: 1KB.
Whether a insight=true key should be logged or not. Default: false.
1 nested properties
List of default otlp resource attributes to be picked as index labels
9 nested properties
Maximum duration for which the live tailing requests are served.
Time to wait before sending more than the minimum successful query requests.
Maximum lookback beyond which queries are not sent to ingester. 0 means all queries are sent to ingester.
1 nested properties
The maximum amount of time to look back for log lines. Used only for instant log queries.
The maximum number of queries that can be simultaneously processed by the querier. Default: 4.
Only query the store, and not attempt any ingesters. This is useful for running a standalone querier pool operating only against stored data.
When true, queriers only query the ingesters, and not stored data. This is useful when the object store is unavailable.
When true, allow queries to span multiple tenants.
When true, querier limits sent via a header are enforced.
6 nested properties
Maximum number of outstanding requests per tenant per query-scheduler. In-flight requests above this limit will fail with HTTP response status code 429. Default: 32000.
Maximum number of levels of nesting of hierarchical queues. 0 means that hierarchical queues are disabled. Default: 3.
If a querier disconnects without sending notification about graceful shutdown, the query-scheduler will keep the querier in the tenant's shard until the forget delay has passed. This feature is useful to reduce the blast radius when shuffle-sharding is enabled.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
Set to true to have the query schedulers create and place themselves in a ring. If no frontend_address or scheduler_address are present anywhere else in the configuration, Loki will toggle this value to true.
The hash ring configuration. This option is required only if use_scheduler_ring is true.
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
17 nested properties
Log queries that are slower than the specified duration. Set to 0 to disable. Set to < 0 to enable on all queries.
Comma-separated list of request header names to include in query logs. Applies to both query stats and slow queries logs.
Max body size for downstream prometheus. Default: 10485760.
True to enable query statistics tracking. When enabled, a message with some statistics is logged for every query.
Maximum number of outstanding requests per tenant per frontend; requests beyond this error with HTTP 429. Default: 2048.
In the event a tenant is repeatedly sending queries that lead the querier to crash or be killed due to an out-of-memory error, the crashed querier will be disconnected from the query frontend and a new querier will be immediately assigned to the tenant’s shard. This invalidates the assumption that shuffle sharding can be used to reduce the impact on tenants. This option mitigates the impact by configuring a delay between when a querier disconnects because of a crash and when the crashed querier is actually removed from the tenant's shard.
DNS hostname used for finding query-schedulers.
How often to resolve the scheduler-address, in order to look for new query-scheduler instances. Also used to determine how often to poll the scheduler-ring for addresses if the scheduler-ring is configured.
Number of concurrent workers forwarding queries to single query-scheduler. Default: 5.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
Time to wait for inflight requests to finish before forcefully shutting down. This needs to be aligned with the query timeout and the graceful termination period of the process orchestrator.
Name of network interface to read address from. This address is sent to query-scheduler and querier, which uses it to send the query response back to query-frontend.
Defines the encoding for requests to and responses from the scheduler and querier. Can be 'json' or 'protobuf' (defaults to 'json').
Compress HTTP responses.
URL of downstream Loki.
URL of querier for tail proxy.
7 nested properties
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
17 nested properties
Mutate incoming queries to align their start and end with their step.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache query results.
Maximum number of retries for a single request; beyond this, the downstream error is returned. Default: 5.
Perform query parallelisations based on storage sharding configuration and query ASTs. This feature is supported only by the chunks storage engine.
A comma-separated list of LogQL vector and range aggregations that should be sharded
Cache index stats query results.
If a cache config is not specified and cache_index_stats_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache volume query results.
If a cache config is not specified and cache_volume_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache instant metric query results.
If a cache config is not specified and cache_instant_metric_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Whether to align the splits of instant metric query with splitByInterval and query's exec time. Useful when instant_metric_cache is enabled
Cache series query results.
If series_results_cache is not configured and cache_series_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache label query results.
If label_results_cache is not configured and cache_label_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
34 nested properties
Base URL of the Grafana instance.
Datasource UID for the dashboard.
Labels to add to all alerts.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
How frequently to evaluate rules.
How frequently to poll for rule changes.
Deprecated: Use -ruler-storage. CLI flags and their respective YAML config options instead.
9 nested properties
Method to use for backend rule storage (configdb, azure, gcs, s3, swift, local, bos, cos)
21 nested properties
Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
Azure storage account name.
Azure storage account key.
If connection-string is set, the values of account-name and endpoint-suffix values will not be used. Use this method over account-key if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
Name of the storage account blob container used to store chunks. This container must be created before running cortex.
Azure storage endpoint suffix without schema. The storage account name will be prefixed to this value to create the FQDN.
Use Managed Identity to authenticate to the Azure storage account.
Use Federated Token to authenticate to the Azure storage account.
User assigned identity ID to authenticate to the Azure storage account.
Use Service Principal to authenticate through Azure OAuth.
Azure Service Principal ID(GUID).
Azure Service Principal secret key.
Azure Tenant ID is used to authenticate through Azure OAuth.
Chunk delimiter for blob ID to be used
Preallocated buffer size for downloads. Default: 512000.
Preallocated buffer size for uploads. Default: 256000.
Number of buffers used to used to upload a chunk. Default: 1.
Timeout for requests made against azure blob storage.
Number of retries for a request which times out. Default: 5.
Minimum time to wait before retrying a request.
Maximum time to wait before retrying a request.
4 nested properties
Name of OSS bucket.
oss Endpoint to connect to.
alibabacloud Access Key ID
alibabacloud Secret Access Key
7 nested properties
Name of GCS bucket. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
Service account key content in JSON format, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys for creation.
The size of the buffer that GCS client for each PUT request. 0 to disable buffering. Default: 0.
The duration after which the requests to GCS should be timed out.
Enable OpenCensus (OC) instrumentation for all requests.
Enable HTTP2 connections.
Enable automatic retries of failed idempotent requests.
14 nested properties
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
Configures back off when S3 get Object.
4 nested properties
Name of BOS bucket.
BOS endpoint to connect to.
Baidu Cloud Engine (BCE) Access Key ID.
Baidu Cloud Engine (BCE) Secret Access Key.
19 nested properties
OpenStack Swift authentication API version. 0 to autodetect. Default: 0.
OpenStack Swift authentication URL
Set this to true to use the internal OpenStack Swift endpoint URL
OpenStack Swift username.
OpenStack Swift user's domain name.
OpenStack Swift user's domain ID.
OpenStack Swift user ID.
OpenStack Swift API key.
OpenStack Swift user's domain ID.
OpenStack Swift user's domain name.
OpenStack Swift project ID (v2,v3 auth only).
OpenStack Swift project name (v2,v3 auth only).
ID of the OpenStack Swift project's domain (v3 auth only), only needed if it differs the from user domain.
Name of the OpenStack Swift project's domain (v3 auth only), only needed if it differs from the user domain.
OpenStack Swift Region to use (v2,v3 auth only).
Name of the OpenStack Swift container to put chunks in.
Max retries on requests error. Default: 3.
Time after which a connection attempt is aborted.
Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.
14 nested properties
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over.
COS Endpoint to connect to.
COS region to use.
COS HMAC Access Key ID.
COS HMAC Secret Access Key.
Configures back off when cos get Object.
IAM API key to access COS.
COS service instance id to use.
IAM Auth Endpoint for authentication.
Compute resource token file path.
Name of the trusted profile.
ID of the trusted profile.
Configures backend rule storage for a local file system directory.
1 nested properties
Directory to scan for rules
File path to store temporary rule files.
Comma-separated list of Alertmanager URLs to send notifications to. Each Alertmanager URL is treated as a separate group in the configuration. Multiple Alertmanagers in HA per group can be supported by using DNS resolution via '-ruler.alertmanager-discovery'.
Use DNS SRV records to discover Alertmanager hosts.
How long to wait between refreshing DNS resolutions of Alertmanager hosts.
If enabled requests to Alertmanager will utilize the V2 API.
List of alert relabel configs.
Capacity of the queue for notifications to be sent to the Alertmanager. Default: 10000.
HTTP timeout duration when sending notifications to the Alertmanager.
12 nested properties
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
HTTP Basic authentication username. It overrides the username set in the URL (if any).
HTTP Basic authentication password. It overrides the password set in the URL (if any).
HTTP Header authorization type (default: Bearer).
HTTP Header authorization credentials.
HTTP Header authorization credentials file.
Max time to tolerate outage for restoring "for" state of alert.
Minimum duration between alert and restored "for" state. This is maintained only for alerts with configured "for" time greater than the grace period.
Minimum amount of time to wait before resending an alert to Alertmanager.
Distribute rule evaluation using ring backend.
The sharding strategy to use. Supported values are: default, shuffle-sharding.
The sharding algorithm to use for deciding how rules & groups are sharded. Supported values are: by-group, by-rule.
Time to spend searching for a pending ruler when shutting down.
Ring used by Loki ruler. The CLI flags prefix for this block configuration is 'ruler.ring'.
5 nested properties
Interval between heartbeats sent to the ring. 0 = disabled.
The heartbeat timeout after which ruler ring members are considered unhealthy within the ring. 0 = never (timeout disabled).
Name of network interface to read addresses from.
The number of tokens the lifecycler will generate and put into the ring if it joined without transferring tokens from another lifecycler. Default: 128.
Period with which to attempt to flush rule groups.
Enable the ruler API.
Comma separated list of tenants whose rules this ruler can evaluate. If specified, only these tenants will be handled by ruler, otherwise this ruler can process rules from all tenants. Subject to sharding.
Comma separated list of tenants whose rules this ruler cannot evaluate. If specified, a ruler that would normally pick the specified tenant(s) for processing will ignore them instead. Subject to sharding.
Report the wall time for ruler queries to complete as a per user metric and as an info level log message.
Disable the rule_group label on exported metrics.
4 nested properties
The directory in which to write tenant WAL files. Each tenant will have its own directory one level below this directory.
Frequency with which to run the WAL truncation process.
Minimum age that samples must exist in the WAL before being truncated.
Maximum age that samples must exist in the WAL before being truncated.
2 nested properties
The minimum age of a WAL to consider for cleaning.
How often to run the WAL cleaner. 0 = disabled.
Remote-write configuration to send rule samples to a Prometheus remote-write endpoint.
5 nested properties
Remote-write configuration to send rule samples to a Prometheus remote-write endpoint.
5 nested properties
Remote-write configuration to send rule samples to a Prometheus remote-write endpoint.
Configure remote write clients. A map with remote client id as key.
Enable remote-write functionality.
Minimum period to wait between refreshing remote-write reconfigurations. This should be greater than or equivalent to -limits.per-user-override-period.
Add X-Scope-OrgID header in remote write requests.
Configure remote write clients. A map with remote client id as key.
Enable remote-write functionality.
Minimum period to wait between refreshing remote-write reconfigurations. This should be greater than or equivalent to -limits.per-user-override-period.
Add X-Scope-OrgID header in remote write requests.
Configuration for rule evaluation.
3 nested properties
The evaluation mode for the ruler. Can be either 'local' or 'remote'. If set to 'local', the ruler will evaluate rules locally. If set to 'remote', the ruler will evaluate rules remotely. If unset, the ruler will evaluate rules locally.
Upper bound of random duration to wait before rule evaluation to avoid contention during concurrent execution of rules. Jitter is calculated consistently for a given rule. Set 0 to disable (default).
9 nested properties
GRPC listen address of the query-frontend(s). Must be a DNS address (prefixed with dns:///) to enable client side load balancing.
Set to true if query-frontend connection requires TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
3 nested properties
Configures how connections are pooled.
3 nested properties
How frequently to clean up clients for ingesters that have gone away.
Run a health check on each ingester client during periodic cleanup.
How quickly a dead client will be removed after it has been detected to disappear. Set this to a value to allow time for a secondary health check to recover the missing client.
The remote request timeout on the client side.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
19 nested properties
Configures how the lifecycle of the ingester will operate and where it will register for discovery.
17 nested properties
5 nested properties
The heartbeat timeout after which ingesters are skipped for reads/writes. 0 = never (timeout disabled).
The number of ingesters to write to and read from. Default: 3.
True to enable the zone-awareness and replicate ingested samples across different availability zones.
Comma-separated list of zones to exclude from the ring. Instances in excluded zones will be filtered out from the ring.
Number of tokens for each ingester. Default: 128.
Period at which to heartbeat to consul. 0 = disabled.
Heartbeat timeout after which instance is assumed to be unhealthy. 0 = disabled.
Observe tokens after generating to resolve collisions. Useful when using gossiping ring.
Period to wait for a claim from another member; will join automatically after this.
Minimum duration to wait after the internal readiness checks have passed but before succeeding the readiness endpoint. This is used to slowdown deployment controllers (eg. Kubernetes) after an instance is ready and before they proceed with a rolling update, to give the rest of the cluster instances enough time to receive ring updates.
Name of network interface to read address from.
Enable IPv6 support. Required to make use of IP addresses from IPv6 interfaces.
Duration to sleep for before exiting, to ensure metrics are scraped.
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
The availability zone where this instance is running.
Unregister from the ring upon clean shutdown. It can be useful to disable for rolling restarts with consistent naming in conjunction with -distributor.extend-writes=false.
When enabled the readiness probe succeeds only after all instances are ACTIVE and healthy in the ring, otherwise only the instance itself is checked. This option should be disabled if in your cluster multiple instances can be rolled out simultaneously, otherwise rolling updates may be slowed down.
IP address to advertise in the ring.
port to advertise in consul (defaults to server.grpc-listen-port). Default: 0.
ID to register in the ring.
How many flushes can happen concurrently from each stream. Default: 32.
How often should the ingester see if there are any blocks to flush. The first flush check is delayed by a random time up to 0.8x the flush check period. Additionally, there is +/- 1% jitter added to the interval.
The timeout before a flush is cancelled.
How long chunks should be retained in-memory after they've been flushed.
How long chunks should sit in-memory with no updates before being flushed if they don't hit the max block size. This means that half-empty chunks will still be flushed after a certain period as long as they receive no further activity.
The targeted uncompressed size in bytes of a chunk block When this threshold is exceeded the head block will be cut and compressed inside the chunk. Default: 262144.
A target compressed size in bytes for chunks. This is a desired size not an exact size, chunks may be slightly bigger or significantly smaller if they get flushed for other reasons (e.g. chunk_idle_period). A value of 0 creates chunks with a fixed 10 blocks, a non zero value will create chunks with a variable number of blocks to meet the target size. Default: 1572864.
The algorithm to use for compressing chunk. (none, gzip, lz4-64k, snappy, lz4-256k, lz4-1M, lz4, flate, zstd)
The maximum duration of a timeseries chunk in memory. If a timeseries runs for longer than this, the current chunk will be flushed to the store and a new chunk created.
Forget about ingesters having heartbeat timestamps older than ring.kvstore.heartbeat_timeout. This is equivalent to clicking on the /ring forget button in the UI: the ingester is removed from the ring. This is a useful setting when you are sure that an unhealthy node won't return. An example is when not using stateful sets or the equivalent. Use memberlist.rejoin_interval > 0 to handle network partition cases when using a memberlist.
Parameters used to synchronize ingesters to cut chunks at the same moment. Sync period is used to roll over incoming entry to a new chunk. If chunk's utilization isn't high enough (eg. less than 50% when sync_min_utilization is set to 0.5), then this chunk rollover doesn't happen.
Minimum utilization of chunk when doing synchronization. Default: 0.1.
The maximum number of errors a stream will report to the user when a push fails. 0 to make unlimited. Default: 10.
How far back should an ingester be allowed to query the store for data, for use only with boltdb-shipper/tsdb index and filesystem object store. -1 for infinite.
The ingester WAL (Write Ahead Log) records incoming logs and stores them on the local file systems in order to guarantee persistence of acknowledged data in the event of a process crash.
5 nested properties
Enable writing of ingested data into WAL.
Directory where the WAL data is stored and/or recovered from.
Interval at which checkpoints should be created.
When WAL is enabled, should chunks be flushed to long-term storage on shutdown.
Maximum memory size the WAL may use during replay. After hitting this, it will flush data to storage before continuing. A unit suffix (KB, MB, GB) may be applied. Default: 4GB.
Shard factor used in the ingesters for the in process reverse index. This MUST be evenly divisible by ALL schema shard factors or Loki will not start. Default: 32.
Maximum number of dropped streams to keep in memory during tailing. Default: 10.
Path where the shutdown marker file is stored. If not set and common.path_prefix is set then common.path_prefix will be used.
5 nested properties
Whether the pattern ingester is enabled.
Configures how the lifecycle of the pattern ingester will operate and where it will register for discovery.
17 nested properties
5 nested properties
The heartbeat timeout after which ingesters are skipped for reads/writes. 0 = never (timeout disabled).
The number of ingesters to write to and read from. Default: 1.
True to enable the zone-awareness and replicate ingested samples across different availability zones.
Comma-separated list of zones to exclude from the ring. Instances in excluded zones will be filtered out from the ring.
Number of tokens for each ingester. Default: 128.
Period at which to heartbeat to consul. 0 = disabled.
Heartbeat timeout after which instance is assumed to be unhealthy. 0 = disabled.
Observe tokens after generating to resolve collisions. Useful when using gossiping ring.
Period to wait for a claim from another member; will join automatically after this.
Minimum duration to wait after the internal readiness checks have passed but before succeeding the readiness endpoint. This is used to slowdown deployment controllers (eg. Kubernetes) after an instance is ready and before they proceed with a rolling update, to give the rest of the cluster instances enough time to receive ring updates.
Name of network interface to read address from.
Enable IPv6 support. Required to make use of IP addresses from IPv6 interfaces.
Duration to sleep for before exiting, to ensure metrics are scraped.
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
The availability zone where this instance is running.
Unregister from the ring upon clean shutdown. It can be useful to disable for rolling restarts with consistent naming in conjunction with -distributor.extend-writes=false.
When enabled the readiness probe succeeds only after all instances are ACTIVE and healthy in the ring, otherwise only the instance itself is checked. This option should be disabled if in your cluster multiple instances can be rolled out simultaneously, otherwise rolling updates may be slowed down.
IP address to advertise in the ring.
port to advertise in consul (defaults to server.grpc-listen-port). Default: 0.
ID to register in the ring.
Configures how the pattern ingester will connect to the ingesters.
3 nested properties
Configures how connections are pooled.
3 nested properties
How frequently to clean up clients for ingesters that have gone away.
Run a health check on each ingester client during periodic cleanup.
Timeout for the health check.
The remote request timeout on the client side.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
How many flushes can happen concurrently from each stream. Default: 32.
How often should the ingester see if there are any blocks to flush. The first flush check is delayed by a random time up to 0.8x the flush check period. Additionally, there is +/- 1% jitter added to the interval.
2 nested properties
Defines in which mode the index gateway server will operate (default to 'simple'). It supports two modes:
- 'simple': an index gateway server instance is responsible for handling, storing and returning requests for all indices for all tenants.
- 'ring': an index gateway server instance is responsible for a subset of tenants instead of all tenants.
Defines the ring to be used by the index gateway servers and clients in case the servers are configured to run in 'ring' mode. In case this isn't configured, this block supports inheriting configuration from the common ring section.
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Deprecated: How many index gateway instances are assigned to each tenant. Use -index-gateway.shard-size instead. The shard size is also a per-tenant setting. Default: 3.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
11 nested properties
Defines the ring to be used by the bloom-compactor servers. In case this isn't configured, this block supports inheriting configuration from the common ring section.
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Number of tokens to use in the ring per compactor. Higher number of tokens will result in more and smaller files (metas and blocks.). Default: 10.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
Flag to enable or disable the usage of the bloom-compactor component.
Interval at which to re-run the compaction operation.
Newest day-table offset (from today, inclusive) to compact. Increase to lower cost by not re-writing data to object storage too frequently since recent data changes more often at the cost of not having blooms available as quickly. Default: 1.
Oldest day-table offset (from today, inclusive) to compact. This can be used to lower cost by not trying to compact older data which doesn't change. This can be optimized by aligning it with the maximum reject_old_samples_max_age setting of any tenant. Default: 2.
Number of workers to run in parallel for compaction. Default: 1.
Minimum backoff time between retries.
Maximum backoff time between retries.
Number of retries to perform when compaction fails. Default: 3.
Maximum number of tables to compact in parallel. While increasing this value, please make sure compactor has enough disk space allocated to be able to store and compact as many tables. Default: 1.
2 nested properties
Enable bloom retention.
Max lookback days for retention. Default: 365.
6 nested properties
Flag to enable or disable the bloom gateway component globally.
5 nested properties
Configures the behavior of the connection pool.
3 nested properties
How frequently to clean up clients for servers that have gone away or are unhealthy.
Run a health check on each server during periodic cleanup.
Timeout for the health check if health check is enabled.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
2 nested properties
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Flag to control whether to cache bloom gateway client requests/responses.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Number of workers to use for filtering chunks concurrently. Usually set to 1x number of CPU cores. Default: 4.
Number of blocks processed concurrently on a single worker. Usually set to 2x number of CPU cores. Default: 8.
Maximum number of outstanding tasks per tenant. Default: 1024.
How many tasks are multiplexed at once. Default: 512.
24 nested properties
4 nested properties
Name of OSS bucket.
oss Endpoint to connect to.
alibabacloud Access Key ID
alibabacloud Secret Access Key
15 nested properties
Deprecated: Configures storing indexes in DynamoDB.
8 nested properties
DynamoDB endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
DynamoDB table management requests per second limit. Default: 2.
DynamoDB rate cap to back off when throttled. Default: 10.
Number of chunks to group together to parallelise fetches (zero to disable). Default: 10.
Max number of chunk-get operations to start in parallel. Default: 32.
KMS key used for encrypting DynamoDB items. DynamoDB will use an Amazon owned KMS key if not provided.
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
5 nested properties
Timeout specifies a time limit for requests made by s3 Client.
The maximum amount of time an idle connection will be held open.
If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.
Set to true to skip verifying the certificate chain and hostname.
Path to the trusted CA file that signed the SSL certificate of the S3 endpoint.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
3 nested properties
Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
KMS Key ID used to encrypt objects in S3
KMS Encryption Context used for object encryption. It expects JSON formatted string.
Configures back off when S3 get Object.
3 nested properties
Minimum backoff time when s3 get Object
Maximum backoff time when s3 get Object
Maximum number of times to retry when s3 get Object. Default: 5.
21 nested properties
Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
Azure storage account name.
Azure storage account key.
If connection-string is set, the values of account-name and endpoint-suffix values will not be used. Use this method over account-key if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
Name of the storage account blob container used to store chunks. This container must be created before running cortex.
Azure storage endpoint suffix without schema. The storage account name will be prefixed to this value to create the FQDN.
Use Managed Identity to authenticate to the Azure storage account.
Use Federated Token to authenticate to the Azure storage account.
User assigned identity ID to authenticate to the Azure storage account.
Use Service Principal to authenticate through Azure OAuth.
Azure Service Principal ID(GUID).
Azure Service Principal secret key.
Azure Tenant ID is used to authenticate through Azure OAuth.
Chunk delimiter for blob ID to be used
Preallocated buffer size for downloads. Default: 512000.
Preallocated buffer size for uploads. Default: 256000.
Number of buffers used to used to upload a chunk. Default: 1.
Timeout for requests made against azure blob storage.
Number of retries for a request which times out. Default: 5.
Minimum time to wait before retrying a request.
Maximum time to wait before retrying a request.
4 nested properties
Name of BOS bucket.
BOS endpoint to connect to.
Baidu Cloud Engine (BCE) Access Key ID.
Baidu Cloud Engine (BCE) Secret Access Key.
Deprecated: Configures storing indexes in Bigtable. Required fields only required when bigtable is defined in config.
5 nested properties
Bigtable project ID.
Bigtable instance ID. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
If enabled, once a tables info is fetched, it is cached.
Duration to cache tables before checking again.
7 nested properties
Name of GCS bucket. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
Service account key content in JSON format, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys for creation.
The size of the buffer that GCS client for each PUT request. 0 to disable buffering. Default: 0.
The duration after which the requests to GCS should be timed out.
Enable OpenCensus (OC) instrumentation for all requests.
Enable HTTP2 connections.
Enable automatic retries of failed idempotent requests.
Deprecated: Configures storing chunks and/or the index in Cassandra.
27 nested properties
Comma-separated hostnames or IPs of Cassandra instances.
Port that Cassandra is running on. Default: 9042.
Keyspace to use in Cassandra.
Consistency level for Cassandra.
Replication factor to use in Cassandra. Default: 3.
Instruct the cassandra driver to not attempt to get host info from the system.peers table.
Use SSL when connecting to cassandra instances.
Require SSL certificate validation.
Policy for selecting Cassandra host. Supported values are: round-robin, token-aware.
Path to certificate file to verify the peer.
Path to certificate file used by TLS.
Path to private key file used by TLS.
Enable password authentication when connecting to cassandra.
Username to use when connecting to cassandra.
Password to use when connecting to cassandra.
File containing password to use when connecting to cassandra.
If set, when authenticating with cassandra a custom authenticator will be expected during the handshake. This flag can be set multiple times.
Timeout when connecting to cassandra.
Initial connection timeout, used during initial dial to server.
Interval to retry connecting to cassandra nodes marked as DOWN.
Number of retries to perform on a request. Set to 0 to disable retries. Default: 0.
Maximum time to wait before retrying a failed request.
Minimum time to wait before retrying a failed request.
Limit number of concurrent queries to Cassandra. Set to 0 to disable the limit. Default: 0.
Number of TCP connections per host. Default: 2.
Convict hosts of being down on failure.
Table options used to create index or chunk tables. This value is used as plain text in the table WITH like this, "CREATE TABLE <generated_by_cortex> (...) WITH <cassandra.table-options>". For details, see https://cortexmetrics.io/docs/production/cassandra. By default it will use the default table options of your Cassandra cluster.
Deprecated: Configures storing index in BoltDB. Required fields only required when boltdb is present in the configuration.
1 nested properties
Location of BoltDB index files.
1 nested properties
Directory to store chunks in.
19 nested properties
OpenStack Swift authentication API version. 0 to autodetect. Default: 0.
OpenStack Swift authentication URL
Set this to true to use the internal OpenStack Swift endpoint URL
OpenStack Swift username.
OpenStack Swift user's domain name.
OpenStack Swift user's domain ID.
OpenStack Swift user ID.
OpenStack Swift API key.
OpenStack Swift user's domain ID.
OpenStack Swift user's domain name.
OpenStack Swift project ID (v2,v3 auth only).
OpenStack Swift project name (v2,v3 auth only).
ID of the OpenStack Swift project's domain (v3 auth only), only needed if it differs the from user domain.
Name of the OpenStack Swift project's domain (v3 auth only), only needed if it differs from the user domain.
OpenStack Swift Region to use (v2,v3 auth only).
Name of the OpenStack Swift container to put chunks in.
Max retries on requests error. Default: 3.
Time after which a connection attempt is aborted.
Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.
Deprecated:
1 nested properties
Hostname or IP of the gRPC store instance.
3 nested properties
If set to a non-zero value a second request will be issued at the provided duration. Default is 0 (disabled)
The maximum of hedge requests allowed. Default: 2.
The maximum of hedge requests allowed per seconds. Default: 5.
14 nested properties
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over.
COS Endpoint to connect to.
COS region to use.
COS HMAC Access Key ID.
COS HMAC Secret Access Key.
2 nested properties
The maximum amount of time an idle connection will be held open.
If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.
Configures back off when cos get Object.
3 nested properties
Minimum backoff time when cos get Object.
Maximum backoff time when cos get Object.
Maximum number of times to retry when cos get Object. Default: 5.
IAM API key to access COS.
COS service instance id to use.
IAM Auth Endpoint for authentication.
Compute resource token file path.
Name of the trusted profile.
ID of the trusted profile.
Cache validity for active index entries. Should be no higher than -ingester.max-chunk-idle.
4 nested properties
Use storage congestion control (default: disabled).
2 nested properties
Congestion control strategy to use (default: none, options: 'aimd').
2 nested properties
Congestion control retry strategy to use (default: none, options: 'limited').
Maximum number of retries allowed. Default: 2.
2 nested properties
Congestion control hedge strategy to use (default: none, options: 'limited').
Experimental. Sets a constant prefix for all keys inserted into object storage. Example: loki/
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
Disable broad index queries which results in reduced cache usage and faster query performance at the expense of somewhat higher QPS on the index store.
Maximum number of parallel chunk reads. Default: 150.
The maximum number of chunks to fetch per batch. Default: 50.
Configures storing index in an Object Store (GCS/S3/Azure/Swift/COS/Filesystem) in the form of boltdb files. Required fields only required when boltdb-shipper is defined in config.
10 nested properties
Directory where ingesters would write index files which would then be uploaded by shipper to configured storage
Cache location for restoring index files from storage for queries
TTL for index files restored in cache for queries
Resync downloaded files with the storage
Number of days of common index to be kept downloaded for queries. For per tenant index query readiness, use limits overrides config. Default: 0.
3 nested properties
Hostname or IP of the Index Gateway gRPC server running in simple mode. Can also be prefixed with dns+, dnssrv+, or dnssrvnoa+ to resolve a DNS A record with multiple IP's, a DNS SRV record with a followup A record lookup, or a DNS SRV record without a followup A record lookup, respectively.
Whether requests sent to the gateway should be logged or not.
Build per tenant index files
Configures storing index in an Object Store (GCS/S3/Azure/Swift/COS/Filesystem) in a prometheus TSDB-like format. Required fields only required when TSDB is defined in config.
9 nested properties
Directory where ingesters would write index files which would then be uploaded by shipper to configured storage
Cache location for restoring index files from storage for queries
TTL for index files restored in cache for queries
Resync downloaded files with the storage
Number of days of common index to be kept downloaded for queries. For per tenant index query readiness, use limits overrides config. Default: 0.
3 nested properties
Hostname or IP of the Index Gateway gRPC server running in simple mode. Can also be prefixed with dns+, dnssrv+, or dnssrvnoa+ to resolve a DNS A record with multiple IP's, a DNS SRV record with a followup A record lookup, or a DNS SRV record without a followup A record lookup, respectively.
Whether requests sent to the gateway should be logged or not.
Experimental: Configures the bloom shipper component, which contains the store abstraction to fetch bloom filters from and put them to object storage.
5 nested properties
Working directory to store downloaded bloom blocks. Supports multiple directories, separated by comma.
Maximum size of bloom pages that should be queried. Larger pages than this limit are skipped when querying blooms to limit memory usage. Default: 64MiB.
The amount of maximum concurrent bloom blocks downloads. Usually set to 2x number of CPU cores. Default: 8.
3 nested properties
Cache for bloom blocks. Soft limit of the cache in bytes. Exceeding this limit will trigger evictions of least recently used items in the background. Default: 32GiB.
Cache for bloom blocks. Hard limit of the cache in bytes. Exceeding this limit will block execution until soft limit is deceeded. Default: 64GiB.
Cache for bloom blocks. The time to live for items in the cache before they get purged.
6 nested properties
The default validity of entries for caches unless overridden.
5 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
Chunks will be handed off to the L2 cache after this duration. 0 to disable L2 cache.
Cache index entries older than this period. 0 to disable.
1 nested properties
17 nested properties
Directory where files can be downloaded for compaction.
Interval at which to re-run the compaction operation.
Interval at which to apply/enforce retention. 0 means run at same interval as compaction. If non-zero, it should always be a multiple of compaction interval.
Activate custom (per-stream,per-tenant) retention.
Delay after which chunks will be fully deleted during retention.
The total amount of worker to use to delete chunks. Default: 150.
The maximum amount of time to spend running retention and deletion on any given table in the index.
Store used for managing delete requests.
Path prefix for storing delete requests.
The max number of delete requests to run per compaction cycle. Default: 70.
Allow cancellation of delete request until duration after they are created. Data would be deleted only after delete requests have been older than this duration. Ideally this should be set to at least 24h.
Constrain the size of any single delete request with line filters. When a delete request > delete_max_interval is input, the request is sharded into smaller requests of no more than delete_max_interval
Maximum number of tables to compact in parallel. While increasing this value, please make sure compactor has enough disk space allocated to be able to store and compact as many tables. Default: 1.
Number of upload/remove operations to execute in parallel when finalizing a compaction. NOTE: This setting is per compaction operation, which can be executed in parallel. The upper bound on the number of concurrent uploads is upload_parallelism * max_compaction_parallelism. Default: 10.
The hash ring configuration used by compactors to elect a single instance for running compactions. The CLI flags prefix for this block config is: compactor.ring
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
Number of tables that compactor will try to compact. Newer tables are chosen when this is less than the number of tables available. Default: 0.
Do not compact N latest tables. Together with -compactor.run-once and -compactor.tables-to-compact, this is useful when clearing compactor backlogs. Default: 0.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
96 nested properties
Whether the ingestion rate limit should be applied individually to each distributor instance (local), or evenly shared across the cluster (global). The ingestion rate strategy cannot be overridden on a per-tenant basis.
- local: enforces the limit on a per distributor basis. The actual effective rate limit will be N times higher, where N is the number of distributor replicas.
- global: enforces the limit globally, configuring a per-distributor local rate limiter as 'ingestion_rate / N', where N is the number of distributor replicas (it's automatically adjusted if the number of replicas change). The global strategy requires the distributors to form their own ring, which is used to keep track of the current number of healthy distributor replicas.
Per-user ingestion rate limit in sample size per second. Units in MB. Default: 4.
Per-user allowed ingestion burst size (in sample size). Units in MB. The burst size refers to the per-distributor local rate limiter even in the case of the 'global' strategy, and should be set at least to the maximum logs size expected in a single push request. Default: 6.
Maximum length accepted for label names. Default: 1024.
Maximum length accepted for label value. This setting also applies to the metric name. Default: 2048.
Maximum number of label names per series. Default: 15.
Whether or not old samples will be rejected.
Maximum accepted sample age before rejecting.
Duration which table will be created/deleted before/after it's needed; we won't accept sample from before this time.
Maximum line size on ingestion path. Example: 256kb. Any log line exceeding this limit will be discarded unless distributor.max-line-size-truncate is set which in case it is truncated instead of discarding it completely. There is no limit when unset or set to 0. Default: 256KB.
Whether to truncate lines that exceed max_line_size.
Alter the log line timestamp during ingestion when the timestamp is the same as the previous entry for the same stream. When enabled, if a log line in a push request has the same timestamp as the previous line for the same stream, one nanosecond is added to the log line. This will preserve the received order of log lines with the exact same timestamp when they are queried, by slightly altering their stored timestamp. NOTE: This is imperfect, because Loki accepts out of order writes, and another push request for the same stream could contain duplicate timestamps to existing entries and they will not be incremented.
If no service_name label exists, Loki maps a single label from the configured list to service_name. If none of the configured labels exist in the stream, label is set to unknown_service. Empty list disables setting the label.
Discover and add log levels during ingestion, if not present already. Levels would be added to Structured Metadata with name 'level' and one of the values from 'debug', 'info', 'warn', 'error', 'critical', 'fatal'.
Maximum number of active streams per user, per ingester. 0 to disable. Default: 0.
Maximum number of active streams per user, across the cluster. 0 to disable. When the global limit is enabled, each ingester is configured with a dynamic local limit based on the replication factor and the current number of healthy ingesters, and is kept updated whenever the number of ingesters change. Default: 5000.
Deprecated. When true, out-of-order writes are accepted.
Maximum byte rate per second per stream, also expressible in human readable forms (1MB, 256KB, etc). Default: 3MB.
Maximum burst bytes per stream, also expressible in human readable forms (1MB, 256KB, etc). This is how far above the rate limit a stream can 'burst' before the stream is limited. Default: 15MB.
Maximum number of chunks that can be fetched in a single query. Default: 2000000.
Limit the maximum of unique series that is returned by a metric query. When the limit is reached an error is returned. Default: 500.
Limit how far back in time series data and metadata can be queried, up until lookback duration ago. This limit is enforced in the query frontend, the querier and the ruler. If the requested time range is outside the allowed range, the request will not fail, but will be modified to only query data within the allowed time range. The default value of 0 does not set a limit.
The limit to length of chunk store queries. 0 to disable.
Limit the length of the [range] inside a range query. Default is 0 or unlimited
Maximum number of queries that will be scheduled in parallel by the frontend. Default: 32.
Maximum number of queries will be scheduled in parallel by the frontend for TSDB schemas. Default: 128.
Target maximum number of bytes assigned to a single sharded query. Also expressible in human readable forms (1GB, etc). Note: This is a target and not an absolute limit. The actual limit can be higher, but the query planner will try to build shards up to this limit. Default: 600MB.
sharding strategy to use in query planning. Suggested to use bounded once all nodes can recognize it.
Cardinality limit for index queries. Default: 100000.
Maximum number of stream matchers per query. Default: 1000.
Maximum number of concurrent tail requests. Default: 10.
Maximum number of log entries that will be returned for a query. Default: 5000.
Most recent allowed cacheable result per-tenant, to prevent caching very recent results that might still be in flux.
Do not cache metadata request if the end time is within the frontend.max-metadata-cache-freshness window. Set this to 0 to apply no such limits. Defaults to 24h.
Do not cache requests with an end time that falls within Now minus this duration. 0 disables this feature (default).
Maximum number of queriers that can handle requests for a single tenant. If set to 0 or value higher than number of available queriers, all queriers will handle requests for the tenant. Each frontend (or query-scheduler, if used) will select the same set of queriers for the same tenant (given that all queriers are connected to all frontends / query-schedulers). This option only works with queriers connecting to the query-frontend / query-scheduler, not when using downstream URL. Default: 0.
How much of the available query capacity ("querier" components in distributed mode, "read" components in SSD mode) can be used by a single tenant. Allowed values are 0.0 to 1.0. For example, setting this to 0.5 would allow a tenant to use half of the available queriers for processing the query workload. If set to 0, query capacity is determined by frontend.max-queriers-per-tenant. When both frontend.max-queriers-per-tenant and frontend.max-query-capacity are configured, smaller value of the resulting querier replica count is considered: min(frontend.max-queriers-per-tenant, ceil(querier_replicas * frontend.max-query-capacity)). All queriers will handle requests for the tenant if neither limits are applied. This option only works with queriers connecting to the query-frontend / query-scheduler, not when using downstream URL. Use this feature in a multi-tenant setup where you need to limit query capacity for certain tenants. Default: 0.
Number of days of index to be kept always downloaded for queries. Applies only to per user index in boltdb-shipper index store. 0 to disable. Default: 0.
Timeout when querying backends (ingesters or storage) during the execution of a query request. When a specific per-tenant timeout is used, the global timeout is ignored.
Split queries by a time interval and execute in parallel. The value 0 disables splitting by time. This also determines how cache keys are chosen when result caching is enabled.
Split metadata queries by a time interval and execute in parallel. The value 0 disables splitting metadata queries by time. This also determines how cache keys are chosen when label/series result caching is enabled.
Experimental. Split interval to use for the portion of metadata request that falls within recent_metadata_query_window. Rest of the request which is outside the window still uses split_metadata_queries_by_interval. If set to 0, the entire request defaults to using a split interval of split_metadata_queries_by_interval..
Experimental. Metadata query window inside which split_recent_metadata_queries_by_interval gets applied, portion of the metadata request that falls in this window is split using split_recent_metadata_queries_by_interval. The value 0 disables using a different split interval for recent metadata queries.
This is added to improve cacheability of recent metadata queries. Query split interval also determines the interval used in cache key. The default split interval of 24h is useful for caching long queries, each cache key holding 1 day's results. But metadata queries are often shorter than 24h, to cache them effectively we need a smaller split interval. recent_metadata_query_window along with split_recent_metadata_queries_by_interval help configure a shorter split interval for recent metadata queries.
Split instant metric queries by a time interval and execute in parallel. The value 0 disables splitting instant metric queries by time. This also determines how cache keys are chosen when instant metric query result caching is enabled.
Interval to use for time-based splitting when a request is within the query_ingesters_within window; defaults to split-queries-by-interval by setting to 0.
Limit queries that can be sharded. Queries within the time range of now and now minus this sharding lookback are not sharded. The default value of 0s disables the lookback, causing sharding of all queries at all times.
Max number of bytes a query can fetch. Enforced in log and metric queries only when TSDB is used. The default value of 0 disables this limit. Default: 0B.
Max number of bytes a query can fetch after splitting and sharding. Enforced in log and metric queries only when TSDB is used. The default value of 0 disables this limit. Default: 150GB.
Enable log-volume endpoints.
The maximum number of aggregated series in a log-volume response. Default: 1000.
Maximum number of rules per rule group per-tenant. 0 to disable. Default: 0.
Maximum number of rule groups per-tenant. 0 to disable. Default: 0.
The default tenant's shard size when shuffle-sharding is enabled in the ruler. When this setting is specified in the per-tenant overrides, a value of 0 disables shuffle sharding for the tenant. Default: 0.
Disable recording rules remote-write.
Deprecated: Use 'ruler_remote_write_config' instead. The URL of the endpoint to send samples to.
Deprecated: Use 'ruler_remote_write_config' instead. Timeout for requests to the remote write endpoint.
Deprecated: Use 'ruler_remote_write_config' instead. Custom HTTP headers to be sent along with each remote write request. Be aware that headers that are set by Loki itself can't be overwritten.
Deprecated: Use 'ruler_remote_write_config' instead. List of remote write relabel configurations.
Deprecated: Use 'ruler_remote_write_config' instead. Number of samples to buffer per shard before we block reading of more samples from the WAL. It is recommended to have enough capacity in each shard to buffer several requests to keep throughput up while processing occasional slow remote requests.
Deprecated: Use 'ruler_remote_write_config' instead. Minimum number of shards, i.e. amount of concurrency.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum number of shards, i.e. amount of concurrency.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum number of samples per send.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum time a sample will wait in buffer.
Deprecated: Use 'ruler_remote_write_config' instead. Initial retry delay. Gets doubled for every retry.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum retry delay.
Deprecated: Use 'ruler_remote_write_config' instead. Retry upon receiving a 429 status code from the remote-write storage. This is experimental and might change in the future.
Deprecated: Use 'ruler_remote_write_config' instead. Configures AWS's Signature Verification 4 signing process to sign every remote write request.
5 nested properties
Configures global and per-tenant limits for remote write clients. A map with remote client id as key.
Timeout for a remote rule evaluation. Defaults to the value of 'querier.query-timeout'.
Maximum size (in bytes) of the allowable response size from a remote rule evaluation. Set to 0 to allow any response size (default).
Deletion mode. Can be one of 'disabled', 'filter-only', or 'filter-and-delete'. When set to 'filter-only' or 'filter-and-delete', and if retention_enabled is true, then the log entry deletion API endpoints are available.
Retention period to apply to stored data, only applies if retention_enabled is true in the compactor config. As of version 2.8.0, a zero value of 0 or 0s disables retention. In previous releases, Loki did not properly honor a zero value to disable retention and a really large value should be used instead.
Per-stream retention to apply, if the retention is enable on the compactor side. Example: retention_stream:
- selector: '{namespace="dev"}' priority: 1 period: 24h
- selector: '{container="nginx"}' priority: 1 period: 744h Selector is a Prometheus labels matchers that will apply the 'period' retention only if the stream is matching. In case multiple stream are matching, the highest priority will be picked. If no rule is matched the 'retention_period' is used.
Feature renamed to 'runtime configuration', flag deprecated in favor of -runtime-config.file (runtime_config.file in YAML).
Feature renamed to 'runtime configuration'; flag deprecated in favor of -runtime-config.reload-period (runtime_config.period in YAML).
Deprecated: Use deletion_mode per tenant configuration instead.
3 nested properties
Define a list of required selector labels.
Minimum number of label matchers a query should contain.
The shard size defines how many index gateways should be used by a tenant for querying. If the global shard factor is 0, the global shard factor is set to the deprecated -replication-factor for backwards compatibility reasons. Default: 0.
Experimental. The shard size defines how many bloom gateways should be used by a tenant for querying. Default: 0.
Experimental. Whether to use the bloom gateway component in the read path to filter chunks.
Experimental. Interval for computing the cache key in the Bloom Gateway.
Experimental. The shard size defines how many bloom compactors should be used by a tenant when computing blooms. If it's set to 0, shuffle sharding is disabled. Default: 0.
Experimental. Whether to compact chunks into bloom filters.
Experimental. The maximum bloom block size. A value of 0 sets an unlimited size. Default is 200MB. The actual block size might exceed this limit since blooms will be added to blocks until the block exceeds the maximum block size. Default: 200MB.
Experimental. The maximum bloom size per log stream. A log stream whose generated bloom filter exceeds this size will be discarded. A value of 0 sets an unlimited size. Default is 128MB. Default: 128MB.
Experimental. Length of the n-grams created when computing blooms from log lines. Default: 4.
Experimental. Skip factor for the n-grams created when computing blooms from log lines. Default: 1.
Experimental. Scalable Bloom Filter desired false-positive rate. Default: 0.01.
Experimental. Compression algorithm for bloom block pages.
Allow user to send structured metadata in push payload.
Maximum size accepted for structured metadata per log line. Default: 64KB.
Maximum number of structured metadata entries per log line. Default: 128.
OTLP log ingestion configurations
3 nested properties
Configuration for resource attributes to store them as index labels or Structured Metadata or drop them altogether
2 nested properties
Configure whether to ignore the default list of resource attributes set in 'distributor.otlp.default_resource_attributes_as_index_labels' to be stored as index labels and only use the given resource attributes config
Configuration for scope attributes to store them as Structured Metadata or drop them altogether
Configuration for log attributes to store them as Structured Metadata or drop them altogether
5 nested properties
Address of query frontend service, in host:port format. If -querier.scheduler-address is set as well, querier will use scheduler instead. Only one of -querier.frontend-address or -querier.scheduler-address can be set. If neither is set, queries are only received via HTTP endpoint.
Hostname (and port) of scheduler that querier will periodically resolve, connect to and receive queries from. Only one of -querier.frontend-address or -querier.scheduler-address can be set. If neither is set, queries are only received via HTTP endpoint.
How often to query DNS for query-frontend or query-scheduler address. Also used to determine how often to poll the scheduler-ring for addresses if the scheduler-ring is configured.
Querier ID, sent to frontend service to identify requests from the same querier. Defaults to hostname.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
7 nested properties
If true, disable all changes to DB capacity
If true, enables retention deletes of DB tables
Tables older than this retention period are deleted. Must be either 0 (disabled) or a multiple of 24h. When enabled, be aware this setting is destructive to data!
How frequently to poll backend to learn our capacity.
Periodic tables grace period (duration which table will be created/deleted before/after it's needed).
12 nested properties
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table default write throughput. Supported by DynamoDB. Default: 1000.
Table default read throughput. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table write throughput for inactive tables. Supported by DynamoDB. Default: 1.
Table read throughput for inactive tables. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Number of last inactive tables to enable write autoscale. Default: 4.
Number of last inactive tables to enable read autoscale. Default: 4.
12 nested properties
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table default write throughput. Supported by DynamoDB. Default: 1000.
Table default read throughput. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table write throughput for inactive tables. Supported by DynamoDB. Default: 1.
Table read throughput for inactive tables. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Number of last inactive tables to enable write autoscale. Default: 4.
Number of last inactive tables to enable read autoscale. Default: 4.
35 nested properties
Name of the node in memberlist cluster. Defaults to hostname.
Add random suffix to the node name.
The timeout for establishing a connection with a remote node, and for read/write operations.
Multiplication factor used when sending out messages (factor * log(N+1)). Default: 4.
How often to use pull/push sync.
How often to gossip.
How many nodes to gossip to. Default: 3.
How long to keep gossiping to dead nodes, to give them chance to refute their death.
How soon can dead node's name be reclaimed with new address. 0 to disable.
Enable message compression. This can be used to reduce bandwidth usage at the cost of slightly more CPU utilization.
Gossip address to advertise to other members in the cluster. Used for NAT traversal.
Gossip port to advertise to other members in the cluster. Used for NAT traversal. Default: 7946.
The cluster label is an optional string to include in outbound packets and gossip streams. Other members in the memberlist cluster will discard any message whose label doesn't match the configured one, unless the 'cluster-label-verification-disabled' configuration option is set to true.
When true, memberlist doesn't verify that inbound packets and gossip streams have the cluster label matching the configured one. This verification should be disabled while rolling out the change to the configured cluster label in a live memberlist cluster.
Other cluster members to join. Can be specified multiple times. It can be an IP, hostname or an entry specified in the DNS Service Discovery format.
Min backoff duration to join other cluster members.
Max backoff duration to join other cluster members.
Max number of retries to join other cluster members. Default: 10.
If this node fails to join memberlist cluster, abort.
If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix the cluster split issue, and is harmless otherwise. For example when using only few components as a seed nodes (via -memberlist.join), then it's recommended to use rejoin. If -memberlist.join points to dynamic service that resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin is not needed.
How long to keep LEFT ingesters in the ring.
Timeout for leaving memberlist cluster.
How much space to use for keeping received and sent messages in memory for troubleshooting (two buffers). 0 to disable. Default: 0.
IP address to listen on for gossip messages. Multiple addresses may be specified. Defaults to 0.0.0.0
Port to listen on for gossip messages. Default: 7946.
Timeout used when connecting to other nodes to send packet.
Timeout for writing 'packet' data.
Enable TLS on the memberlist transport layer.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
2 nested properties
How often to check runtime config files.
Comma separated list of yaml files with the configuration that can be updated at runtime. Runtime config files will be merged from left to right.
4 nested properties
Log every new stream created by a push request (very verbose, recommend to enable via runtime config only).
Log every push request (very verbose, recommend to enable via runtime config only).
Log every stream in a push request (very verbose, recommend to enable via runtime config only).
Log push errors with a rate limited logger, will show client push errors without overly spamming logs.
1 nested properties
Set to false to disable tracing.
2 nested properties
Enable anonymous usage reporting.
URL to which reports are sent
9 nested properties
10 nested properties
14 nested properties
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
Configures back off when S3 get Object.
7 nested properties
Name of GCS bucket. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
Service account key content in JSON format, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys for creation.
The size of the buffer that GCS client for each PUT request. 0 to disable buffering. Default: 0.
The duration after which the requests to GCS should be timed out.
Enable OpenCensus (OC) instrumentation for all requests.
Enable HTTP2 connections.
Enable automatic retries of failed idempotent requests.
21 nested properties
Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
Azure storage account name.
Azure storage account key.
If connection-string is set, the values of account-name and endpoint-suffix values will not be used. Use this method over account-key if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
Name of the storage account blob container used to store chunks. This container must be created before running cortex.
Azure storage endpoint suffix without schema. The storage account name will be prefixed to this value to create the FQDN.
Use Managed Identity to authenticate to the Azure storage account.
Use Federated Token to authenticate to the Azure storage account.
User assigned identity ID to authenticate to the Azure storage account.
Use Service Principal to authenticate through Azure OAuth.
Azure Service Principal ID(GUID).
Azure Service Principal secret key.
Azure Tenant ID is used to authenticate through Azure OAuth.
Chunk delimiter for blob ID to be used
Preallocated buffer size for downloads. Default: 512000.
Preallocated buffer size for uploads. Default: 256000.
Number of buffers used to used to upload a chunk. Default: 1.
Timeout for requests made against azure blob storage.
Number of retries for a request which times out. Default: 5.
Minimum time to wait before retrying a request.
Maximum time to wait before retrying a request.
4 nested properties
Name of OSS bucket.
oss Endpoint to connect to.
alibabacloud Access Key ID
alibabacloud Secret Access Key
4 nested properties
Name of BOS bucket.
BOS endpoint to connect to.
Baidu Cloud Engine (BCE) Access Key ID.
Baidu Cloud Engine (BCE) Secret Access Key.
19 nested properties
OpenStack Swift authentication API version. 0 to autodetect. Default: 0.
OpenStack Swift authentication URL
Set this to true to use the internal OpenStack Swift endpoint URL
OpenStack Swift username.
OpenStack Swift user's domain name.
OpenStack Swift user's domain ID.
OpenStack Swift user ID.
OpenStack Swift API key.
OpenStack Swift user's domain ID.
OpenStack Swift user's domain name.
OpenStack Swift project ID (v2,v3 auth only).
OpenStack Swift project name (v2,v3 auth only).
ID of the OpenStack Swift project's domain (v3 auth only), only needed if it differs the from user domain.
Name of the OpenStack Swift project's domain (v3 auth only), only needed if it differs from the user domain.
OpenStack Swift Region to use (v2,v3 auth only).
Name of the OpenStack Swift container to put chunks in.
Max retries on requests error. Default: 3.
Time after which a connection attempt is aborted.
Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.
2 nested properties
Directory to store chunks in.
Directory to store rules in.
3 nested properties
If set to a non-zero value a second request will be issued at the provided duration. Default is 0 (disabled)
The maximum of hedge requests allowed. Default: 2.
The maximum of hedge requests allowed per seconds. Default: 5.
14 nested properties
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over.
COS Endpoint to connect to.
COS region to use.
COS HMAC Access Key ID.
COS HMAC Secret Access Key.
Configures back off when cos get Object.
IAM API key to access COS.
COS service instance id to use.
IAM Auth Endpoint for authentication.
Compute resource token file path.
Name of the trusted profile.
ID of the trusted profile.
4 nested properties
Use storage congestion control (default: disabled).
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Number of tokens to own in the ring. Default: 128.
Factor for data replication. Default: 3.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
the http address of the compactor in the form http://host:port
the grpc address of the compactor in the form host:port
How long to wait between SIGTERM and shutdown. After receiving SIGTERM, Loki will report 503 Service Unavailable status via /ready endpoint.
Namespace of the metrics that in previous releases had cortex as namespace. This setting is deprecated and will be removed in the next minor release.
Definitions
Name of OSS bucket.
oss Endpoint to connect to.
alibabacloud Access Key ID
alibabacloud Secret Access Key
Enable anonymous usage reporting.
URL to which reports are sent
Configures action to take on matching attributes. It allows one of [structured_metadata, drop] for all attribute types. It additionally allows index_label action for resource attributes
List of attributes to configure how to store them or drop them altogether
Regex to choose attributes to configure how to store them or drop them altogether
Deprecated: Configures storing indexes in DynamoDB.
8 nested properties
DynamoDB endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
DynamoDB table management requests per second limit. Default: 2.
DynamoDB rate cap to back off when throttled. Default: 10.
9 nested properties
Use metrics-based autoscaling, via this query URL
Queue length above which we will scale up capacity. Default: 100000.
Scale up capacity by this multiple. Default: 1.3.
Ignore throttling below this level (rate per second). Default: 1.
query to fetch ingester queue length
query to fetch throttle rates per table
query to fetch write capacity usage per table
query to fetch read capacity usage per table
query to fetch read errors per table
Number of chunks to group together to parallelise fetches (zero to disable). Default: 10.
Max number of chunk-get operations to start in parallel. Default: 32.
3 nested properties
Minimum backoff time
Maximum backoff time
Maximum number of times to retry an operation. Default: 20.
KMS key used for encrypting DynamoDB items. DynamoDB will use an Amazon owned KMS key if not provided.
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
5 nested properties
Timeout specifies a time limit for requests made by s3 Client.
The maximum amount of time an idle connection will be held open.
If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.
Set to true to skip verifying the certificate chain and hostname.
Path to the trusted CA file that signed the SSL certificate of the S3 endpoint.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
3 nested properties
Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
KMS Key ID used to encrypt objects in S3
KMS Encryption Context used for object encryption. It expects JSON formatted string.
Configures back off when S3 get Object.
3 nested properties
Minimum backoff time when s3 get Object
Maximum backoff time when s3 get Object
Maximum number of times to retry when s3 get Object. Default: 5.
Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
Azure storage account name.
Azure storage account key.
If connection-string is set, the values of account-name and endpoint-suffix values will not be used. Use this method over account-key if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
Name of the storage account blob container used to store chunks. This container must be created before running cortex.
Azure storage endpoint suffix without schema. The storage account name will be prefixed to this value to create the FQDN.
Use Managed Identity to authenticate to the Azure storage account.
Use Federated Token to authenticate to the Azure storage account.
User assigned identity ID to authenticate to the Azure storage account.
Use Service Principal to authenticate through Azure OAuth.
Azure Service Principal ID(GUID).
Azure Service Principal secret key.
Azure Tenant ID is used to authenticate through Azure OAuth.
Chunk delimiter for blob ID to be used
Preallocated buffer size for downloads. Default: 512000.
Preallocated buffer size for uploads. Default: 256000.
Number of buffers used to used to upload a chunk. Default: 1.
Timeout for requests made against azure blob storage.
Number of retries for a request which times out. Default: 5.
Minimum time to wait before retrying a request.
Maximum time to wait before retrying a request.
Defines the ring to be used by the bloom-compactor servers. In case this isn't configured, this block supports inheriting configuration from the common ring section.
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Number of tokens to use in the ring per compactor. Higher number of tokens will result in more and smaller files (metas and blocks.). Default: 10.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
Flag to enable or disable the usage of the bloom-compactor component.
Interval at which to re-run the compaction operation.
Newest day-table offset (from today, inclusive) to compact. Increase to lower cost by not re-writing data to object storage too frequently since recent data changes more often at the cost of not having blooms available as quickly. Default: 1.
Oldest day-table offset (from today, inclusive) to compact. This can be used to lower cost by not trying to compact older data which doesn't change. This can be optimized by aligning it with the maximum reject_old_samples_max_age setting of any tenant. Default: 2.
Number of workers to run in parallel for compaction. Default: 1.
Minimum backoff time between retries.
Maximum backoff time between retries.
Number of retries to perform when compaction fails. Default: 3.
Maximum number of tables to compact in parallel. While increasing this value, please make sure compactor has enough disk space allocated to be able to store and compact as many tables. Default: 1.
2 nested properties
Enable bloom retention.
Max lookback days for retention. Default: 365.
Flag to enable or disable the bloom gateway component globally.
5 nested properties
Configures the behavior of the connection pool.
3 nested properties
How frequently to clean up clients for servers that have gone away or are unhealthy.
Run a health check on each server during periodic cleanup.
Timeout for the health check if health check is enabled.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
2 nested properties
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Flag to control whether to cache bloom gateway client requests/responses.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Number of workers to use for filtering chunks concurrently. Usually set to 1x number of CPU cores. Default: 4.
Number of blocks processed concurrently on a single worker. Usually set to 2x number of CPU cores. Default: 8.
Maximum number of outstanding tasks per tenant. Default: 1024.
How many tasks are multiplexed at once. Default: 512.
Name of BOS bucket.
BOS endpoint to connect to.
Baidu Cloud Engine (BCE) Access Key ID.
Baidu Cloud Engine (BCE) Secret Access Key.
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
Chunks will be handed off to the L2 cache after this duration. 0 to disable L2 cache.
Cache index entries older than this period. 0 to disable.
10 nested properties
14 nested properties
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
Configures back off when S3 get Object.
7 nested properties
Name of GCS bucket. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
Service account key content in JSON format, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys for creation.
The size of the buffer that GCS client for each PUT request. 0 to disable buffering. Default: 0.
The duration after which the requests to GCS should be timed out.
Enable OpenCensus (OC) instrumentation for all requests.
Enable HTTP2 connections.
Enable automatic retries of failed idempotent requests.
21 nested properties
Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
Azure storage account name.
Azure storage account key.
If connection-string is set, the values of account-name and endpoint-suffix values will not be used. Use this method over account-key if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
Name of the storage account blob container used to store chunks. This container must be created before running cortex.
Azure storage endpoint suffix without schema. The storage account name will be prefixed to this value to create the FQDN.
Use Managed Identity to authenticate to the Azure storage account.
Use Federated Token to authenticate to the Azure storage account.
User assigned identity ID to authenticate to the Azure storage account.
Use Service Principal to authenticate through Azure OAuth.
Azure Service Principal ID(GUID).
Azure Service Principal secret key.
Azure Tenant ID is used to authenticate through Azure OAuth.
Chunk delimiter for blob ID to be used
Preallocated buffer size for downloads. Default: 512000.
Preallocated buffer size for uploads. Default: 256000.
Number of buffers used to used to upload a chunk. Default: 1.
Timeout for requests made against azure blob storage.
Number of retries for a request which times out. Default: 5.
Minimum time to wait before retrying a request.
Maximum time to wait before retrying a request.
4 nested properties
Name of OSS bucket.
oss Endpoint to connect to.
alibabacloud Access Key ID
alibabacloud Secret Access Key
4 nested properties
Name of BOS bucket.
BOS endpoint to connect to.
Baidu Cloud Engine (BCE) Access Key ID.
Baidu Cloud Engine (BCE) Secret Access Key.
19 nested properties
OpenStack Swift authentication API version. 0 to autodetect. Default: 0.
OpenStack Swift authentication URL
Set this to true to use the internal OpenStack Swift endpoint URL
OpenStack Swift username.
OpenStack Swift user's domain name.
OpenStack Swift user's domain ID.
OpenStack Swift user ID.
OpenStack Swift API key.
OpenStack Swift user's domain ID.
OpenStack Swift user's domain name.
OpenStack Swift project ID (v2,v3 auth only).
OpenStack Swift project name (v2,v3 auth only).
ID of the OpenStack Swift project's domain (v3 auth only), only needed if it differs the from user domain.
Name of the OpenStack Swift project's domain (v3 auth only), only needed if it differs from the user domain.
OpenStack Swift Region to use (v2,v3 auth only).
Name of the OpenStack Swift container to put chunks in.
Max retries on requests error. Default: 3.
Time after which a connection attempt is aborted.
Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.
2 nested properties
Directory to store chunks in.
Directory to store rules in.
3 nested properties
If set to a non-zero value a second request will be issued at the provided duration. Default is 0 (disabled)
The maximum of hedge requests allowed. Default: 2.
The maximum of hedge requests allowed per seconds. Default: 5.
14 nested properties
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over.
COS Endpoint to connect to.
COS region to use.
COS HMAC Access Key ID.
COS HMAC Secret Access Key.
Configures back off when cos get Object.
IAM API key to access COS.
COS service instance id to use.
IAM Auth Endpoint for authentication.
Compute resource token file path.
Name of the trusted profile.
ID of the trusted profile.
4 nested properties
Use storage congestion control (default: disabled).
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Number of tokens to own in the ring. Default: 128.
Factor for data replication. Default: 3.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
the http address of the compactor in the form http://host:port
the grpc address of the compactor in the form host:port
Directory where files can be downloaded for compaction.
Interval at which to re-run the compaction operation.
Interval at which to apply/enforce retention. 0 means run at same interval as compaction. If non-zero, it should always be a multiple of compaction interval.
Activate custom (per-stream,per-tenant) retention.
Delay after which chunks will be fully deleted during retention.
The total amount of worker to use to delete chunks. Default: 150.
The maximum amount of time to spend running retention and deletion on any given table in the index.
Store used for managing delete requests.
Path prefix for storing delete requests.
The max number of delete requests to run per compaction cycle. Default: 70.
Allow cancellation of delete request until duration after they are created. Data would be deleted only after delete requests have been older than this duration. Ideally this should be set to at least 24h.
Constrain the size of any single delete request with line filters. When a delete request > delete_max_interval is input, the request is sharded into smaller requests of no more than delete_max_interval
Maximum number of tables to compact in parallel. While increasing this value, please make sure compactor has enough disk space allocated to be able to store and compact as many tables. Default: 1.
Number of upload/remove operations to execute in parallel when finalizing a compaction. NOTE: This setting is per compaction operation, which can be executed in parallel. The upper bound on the number of concurrent uploads is upload_parallelism * max_compaction_parallelism. Default: 10.
The hash ring configuration used by compactors to elect a single instance for running compactions. The CLI flags prefix for this block config is: compactor.ring
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
Number of tables that compactor will try to compact. Newer tables are chosen when this is less than the number of tables available. Default: 0.
Do not compact N latest tables. Together with -compactor.run-once and -compactor.tables-to-compact, this is useful when clearing compactor backlogs. Default: 0.
Hostname and port of Consul.
ACL Token used to interact with Consul.
HTTP timeout when talking to Consul
Enable consistent reads to Consul.
Rate limit when watching key or prefix in Consul, in requests per second. 0 disables the rate limit. Default: 1.
Burst size used in rate limit. Values less than 1 are treated as 1. Default: 1.
Maximum duration to wait before retrying a Compare And Swap (CAS) operation.
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over.
COS Endpoint to connect to.
COS region to use.
COS HMAC Access Key ID.
COS HMAC Secret Access Key.
2 nested properties
The maximum amount of time an idle connection will be held open.
If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.
Configures back off when cos get Object.
3 nested properties
Minimum backoff time when cos get Object.
Maximum backoff time when cos get Object.
Maximum number of times to retry when cos get Object. Default: 5.
IAM API key to access COS.
COS service instance id to use.
IAM Auth Endpoint for authentication.
Compute resource token file path.
Name of the trusted profile.
ID of the trusted profile.
4 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which distributors are considered unhealthy within the ring. 0 = never (timeout disabled).
Name of network interface to read address from.
4 nested properties
The max number of concurrent requests to make to ingester stream apis. Default: 200.
The interval on which distributors will update current stream rates from ingesters
Timeout for communication between distributors and any given ingester when updating rates
If enabled, detailed logs and spans will be emitted.
Customize the logging of write failures.
2 nested properties
Log volume allowed (per second). Default: 1KB. Default: 1KB.
Whether a insight=true key should be logged or not. Default: false.
1 nested properties
List of default otlp resource attributes to be picked as index labels
The etcd endpoints to connect to.
The dial timeout for the etcd connection.
The maximum number of retries to do for failed ops. Default: 10.
Enable TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
Etcd username.
Etcd password.
Log queries that are slower than the specified duration. Set to 0 to disable. Set to < 0 to enable on all queries.
Comma-separated list of request header names to include in query logs. Applies to both query stats and slow queries logs.
Max body size for downstream prometheus. Default: 10485760.
True to enable query statistics tracking. When enabled, a message with some statistics is logged for every query.
Maximum number of outstanding requests per tenant per frontend; requests beyond this error with HTTP 429. Default: 2048.
In the event a tenant is repeatedly sending queries that lead the querier to crash or be killed due to an out-of-memory error, the crashed querier will be disconnected from the query frontend and a new querier will be immediately assigned to the tenant’s shard. This invalidates the assumption that shuffle sharding can be used to reduce the impact on tenants. This option mitigates the impact by configuring a delay between when a querier disconnects because of a crash and when the crashed querier is actually removed from the tenant's shard.
DNS hostname used for finding query-schedulers.
How often to resolve the scheduler-address, in order to look for new query-scheduler instances. Also used to determine how often to poll the scheduler-ring for addresses if the scheduler-ring is configured.
Number of concurrent workers forwarding queries to single query-scheduler. Default: 5.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
Time to wait for inflight requests to finish before forcefully shutting down. This needs to be aligned with the query timeout and the graceful termination period of the process orchestrator.
Name of network interface to read address from. This address is sent to query-scheduler and querier, which uses it to send the query response back to query-frontend.
Defines the encoding for requests to and responses from the scheduler and querier. Can be 'json' or 'protobuf' (defaults to 'json').
Compress HTTP responses.
URL of downstream Loki.
URL of querier for tail proxy.
7 nested properties
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
Address of query frontend service, in host:port format. If -querier.scheduler-address is set as well, querier will use scheduler instead. Only one of -querier.frontend-address or -querier.scheduler-address can be set. If neither is set, queries are only received via HTTP endpoint.
Hostname (and port) of scheduler that querier will periodically resolve, connect to and receive queries from. Only one of -querier.frontend-address or -querier.scheduler-address can be set. If neither is set, queries are only received via HTTP endpoint.
How often to query DNS for query-frontend or query-scheduler address. Also used to determine how often to poll the scheduler-ring for addresses if the scheduler-ring is configured.
Querier ID, sent to frontend service to identify requests from the same querier. Defaults to hostname.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
Name of GCS bucket. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
Service account key content in JSON format, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys for creation.
The size of the buffer that GCS client for each PUT request. 0 to disable buffering. Default: 0.
The duration after which the requests to GCS should be timed out.
Enable OpenCensus (OC) instrumentation for all requests.
Enable HTTP2 connections.
Enable automatic retries of failed idempotent requests.
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
Defines in which mode the index gateway server will operate (default to 'simple'). It supports two modes:
- 'simple': an index gateway server instance is responsible for handling, storing and returning requests for all indices for all tenants.
- 'ring': an index gateway server instance is responsible for a subset of tenants instead of all tenants.
Defines the ring to be used by the index gateway servers and clients in case the servers are configured to run in 'ring' mode. In case this isn't configured, this block supports inheriting configuration from the common ring section.
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Deprecated: How many index gateway instances are assigned to each tenant. Use -index-gateway.shard-size instead. The shard size is also a per-tenant setting. Default: 3.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
Configures how the lifecycle of the ingester will operate and where it will register for discovery.
17 nested properties
5 nested properties
The heartbeat timeout after which ingesters are skipped for reads/writes. 0 = never (timeout disabled).
The number of ingesters to write to and read from. Default: 3.
True to enable the zone-awareness and replicate ingested samples across different availability zones.
Comma-separated list of zones to exclude from the ring. Instances in excluded zones will be filtered out from the ring.
Number of tokens for each ingester. Default: 128.
Period at which to heartbeat to consul. 0 = disabled.
Heartbeat timeout after which instance is assumed to be unhealthy. 0 = disabled.
Observe tokens after generating to resolve collisions. Useful when using gossiping ring.
Period to wait for a claim from another member; will join automatically after this.
Minimum duration to wait after the internal readiness checks have passed but before succeeding the readiness endpoint. This is used to slowdown deployment controllers (eg. Kubernetes) after an instance is ready and before they proceed with a rolling update, to give the rest of the cluster instances enough time to receive ring updates.
Name of network interface to read address from.
Enable IPv6 support. Required to make use of IP addresses from IPv6 interfaces.
Duration to sleep for before exiting, to ensure metrics are scraped.
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
The availability zone where this instance is running.
Unregister from the ring upon clean shutdown. It can be useful to disable for rolling restarts with consistent naming in conjunction with -distributor.extend-writes=false.
When enabled the readiness probe succeeds only after all instances are ACTIVE and healthy in the ring, otherwise only the instance itself is checked. This option should be disabled if in your cluster multiple instances can be rolled out simultaneously, otherwise rolling updates may be slowed down.
IP address to advertise in the ring.
port to advertise in consul (defaults to server.grpc-listen-port). Default: 0.
ID to register in the ring.
How many flushes can happen concurrently from each stream. Default: 32.
How often should the ingester see if there are any blocks to flush. The first flush check is delayed by a random time up to 0.8x the flush check period. Additionally, there is +/- 1% jitter added to the interval.
The timeout before a flush is cancelled.
How long chunks should be retained in-memory after they've been flushed.
How long chunks should sit in-memory with no updates before being flushed if they don't hit the max block size. This means that half-empty chunks will still be flushed after a certain period as long as they receive no further activity.
The targeted uncompressed size in bytes of a chunk block When this threshold is exceeded the head block will be cut and compressed inside the chunk. Default: 262144.
A target compressed size in bytes for chunks. This is a desired size not an exact size, chunks may be slightly bigger or significantly smaller if they get flushed for other reasons (e.g. chunk_idle_period). A value of 0 creates chunks with a fixed 10 blocks, a non zero value will create chunks with a variable number of blocks to meet the target size. Default: 1572864.
The algorithm to use for compressing chunk. (none, gzip, lz4-64k, snappy, lz4-256k, lz4-1M, lz4, flate, zstd)
The maximum duration of a timeseries chunk in memory. If a timeseries runs for longer than this, the current chunk will be flushed to the store and a new chunk created.
Forget about ingesters having heartbeat timestamps older than ring.kvstore.heartbeat_timeout. This is equivalent to clicking on the /ring forget button in the UI: the ingester is removed from the ring. This is a useful setting when you are sure that an unhealthy node won't return. An example is when not using stateful sets or the equivalent. Use memberlist.rejoin_interval > 0 to handle network partition cases when using a memberlist.
Parameters used to synchronize ingesters to cut chunks at the same moment. Sync period is used to roll over incoming entry to a new chunk. If chunk's utilization isn't high enough (eg. less than 50% when sync_min_utilization is set to 0.5), then this chunk rollover doesn't happen.
Minimum utilization of chunk when doing synchronization. Default: 0.1.
The maximum number of errors a stream will report to the user when a push fails. 0 to make unlimited. Default: 10.
How far back should an ingester be allowed to query the store for data, for use only with boltdb-shipper/tsdb index and filesystem object store. -1 for infinite.
The ingester WAL (Write Ahead Log) records incoming logs and stores them on the local file systems in order to guarantee persistence of acknowledged data in the event of a process crash.
5 nested properties
Enable writing of ingested data into WAL.
Directory where the WAL data is stored and/or recovered from.
Interval at which checkpoints should be created.
When WAL is enabled, should chunks be flushed to long-term storage on shutdown.
Maximum memory size the WAL may use during replay. After hitting this, it will flush data to storage before continuing. A unit suffix (KB, MB, GB) may be applied. Default: 4GB.
Shard factor used in the ingesters for the in process reverse index. This MUST be evenly divisible by ALL schema shard factors or Loki will not start. Default: 32.
Maximum number of dropped streams to keep in memory during tailing. Default: 10.
Path where the shutdown marker file is stored. If not set and common.path_prefix is set then common.path_prefix will be used.
Configures how connections are pooled.
3 nested properties
How frequently to clean up clients for ingesters that have gone away.
Run a health check on each ingester client during periodic cleanup.
How quickly a dead client will be removed after it has been detected to disappear. Set this to a value to allow time for a secondary health check to recover the missing client.
The remote request timeout on the client side.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
Whether the ingestion rate limit should be applied individually to each distributor instance (local), or evenly shared across the cluster (global). The ingestion rate strategy cannot be overridden on a per-tenant basis.
- local: enforces the limit on a per distributor basis. The actual effective rate limit will be N times higher, where N is the number of distributor replicas.
- global: enforces the limit globally, configuring a per-distributor local rate limiter as 'ingestion_rate / N', where N is the number of distributor replicas (it's automatically adjusted if the number of replicas change). The global strategy requires the distributors to form their own ring, which is used to keep track of the current number of healthy distributor replicas.
Per-user ingestion rate limit in sample size per second. Units in MB. Default: 4.
Per-user allowed ingestion burst size (in sample size). Units in MB. The burst size refers to the per-distributor local rate limiter even in the case of the 'global' strategy, and should be set at least to the maximum logs size expected in a single push request. Default: 6.
Maximum length accepted for label names. Default: 1024.
Maximum length accepted for label value. This setting also applies to the metric name. Default: 2048.
Maximum number of label names per series. Default: 15.
Whether or not old samples will be rejected.
Maximum accepted sample age before rejecting.
Duration which table will be created/deleted before/after it's needed; we won't accept sample from before this time.
Maximum line size on ingestion path. Example: 256kb. Any log line exceeding this limit will be discarded unless distributor.max-line-size-truncate is set which in case it is truncated instead of discarding it completely. There is no limit when unset or set to 0. Default: 256KB.
Whether to truncate lines that exceed max_line_size.
Alter the log line timestamp during ingestion when the timestamp is the same as the previous entry for the same stream. When enabled, if a log line in a push request has the same timestamp as the previous line for the same stream, one nanosecond is added to the log line. This will preserve the received order of log lines with the exact same timestamp when they are queried, by slightly altering their stored timestamp. NOTE: This is imperfect, because Loki accepts out of order writes, and another push request for the same stream could contain duplicate timestamps to existing entries and they will not be incremented.
If no service_name label exists, Loki maps a single label from the configured list to service_name. If none of the configured labels exist in the stream, label is set to unknown_service. Empty list disables setting the label.
Discover and add log levels during ingestion, if not present already. Levels would be added to Structured Metadata with name 'level' and one of the values from 'debug', 'info', 'warn', 'error', 'critical', 'fatal'.
Maximum number of active streams per user, per ingester. 0 to disable. Default: 0.
Maximum number of active streams per user, across the cluster. 0 to disable. When the global limit is enabled, each ingester is configured with a dynamic local limit based on the replication factor and the current number of healthy ingesters, and is kept updated whenever the number of ingesters change. Default: 5000.
Deprecated. When true, out-of-order writes are accepted.
Maximum byte rate per second per stream, also expressible in human readable forms (1MB, 256KB, etc). Default: 3MB.
Maximum burst bytes per stream, also expressible in human readable forms (1MB, 256KB, etc). This is how far above the rate limit a stream can 'burst' before the stream is limited. Default: 15MB.
Maximum number of chunks that can be fetched in a single query. Default: 2000000.
Limit the maximum of unique series that is returned by a metric query. When the limit is reached an error is returned. Default: 500.
Limit how far back in time series data and metadata can be queried, up until lookback duration ago. This limit is enforced in the query frontend, the querier and the ruler. If the requested time range is outside the allowed range, the request will not fail, but will be modified to only query data within the allowed time range. The default value of 0 does not set a limit.
The limit to length of chunk store queries. 0 to disable.
Limit the length of the [range] inside a range query. Default is 0 or unlimited
Maximum number of queries that will be scheduled in parallel by the frontend. Default: 32.
Maximum number of queries will be scheduled in parallel by the frontend for TSDB schemas. Default: 128.
Target maximum number of bytes assigned to a single sharded query. Also expressible in human readable forms (1GB, etc). Note: This is a target and not an absolute limit. The actual limit can be higher, but the query planner will try to build shards up to this limit. Default: 600MB.
sharding strategy to use in query planning. Suggested to use bounded once all nodes can recognize it.
Cardinality limit for index queries. Default: 100000.
Maximum number of stream matchers per query. Default: 1000.
Maximum number of concurrent tail requests. Default: 10.
Maximum number of log entries that will be returned for a query. Default: 5000.
Most recent allowed cacheable result per-tenant, to prevent caching very recent results that might still be in flux.
Do not cache metadata request if the end time is within the frontend.max-metadata-cache-freshness window. Set this to 0 to apply no such limits. Defaults to 24h.
Do not cache requests with an end time that falls within Now minus this duration. 0 disables this feature (default).
Maximum number of queriers that can handle requests for a single tenant. If set to 0 or value higher than number of available queriers, all queriers will handle requests for the tenant. Each frontend (or query-scheduler, if used) will select the same set of queriers for the same tenant (given that all queriers are connected to all frontends / query-schedulers). This option only works with queriers connecting to the query-frontend / query-scheduler, not when using downstream URL. Default: 0.
How much of the available query capacity ("querier" components in distributed mode, "read" components in SSD mode) can be used by a single tenant. Allowed values are 0.0 to 1.0. For example, setting this to 0.5 would allow a tenant to use half of the available queriers for processing the query workload. If set to 0, query capacity is determined by frontend.max-queriers-per-tenant. When both frontend.max-queriers-per-tenant and frontend.max-query-capacity are configured, smaller value of the resulting querier replica count is considered: min(frontend.max-queriers-per-tenant, ceil(querier_replicas * frontend.max-query-capacity)). All queriers will handle requests for the tenant if neither limits are applied. This option only works with queriers connecting to the query-frontend / query-scheduler, not when using downstream URL. Use this feature in a multi-tenant setup where you need to limit query capacity for certain tenants. Default: 0.
Number of days of index to be kept always downloaded for queries. Applies only to per user index in boltdb-shipper index store. 0 to disable. Default: 0.
Timeout when querying backends (ingesters or storage) during the execution of a query request. When a specific per-tenant timeout is used, the global timeout is ignored.
Split queries by a time interval and execute in parallel. The value 0 disables splitting by time. This also determines how cache keys are chosen when result caching is enabled.
Split metadata queries by a time interval and execute in parallel. The value 0 disables splitting metadata queries by time. This also determines how cache keys are chosen when label/series result caching is enabled.
Experimental. Split interval to use for the portion of metadata request that falls within recent_metadata_query_window. Rest of the request which is outside the window still uses split_metadata_queries_by_interval. If set to 0, the entire request defaults to using a split interval of split_metadata_queries_by_interval..
Experimental. Metadata query window inside which split_recent_metadata_queries_by_interval gets applied, portion of the metadata request that falls in this window is split using split_recent_metadata_queries_by_interval. The value 0 disables using a different split interval for recent metadata queries.
This is added to improve cacheability of recent metadata queries. Query split interval also determines the interval used in cache key. The default split interval of 24h is useful for caching long queries, each cache key holding 1 day's results. But metadata queries are often shorter than 24h, to cache them effectively we need a smaller split interval. recent_metadata_query_window along with split_recent_metadata_queries_by_interval help configure a shorter split interval for recent metadata queries.
Split instant metric queries by a time interval and execute in parallel. The value 0 disables splitting instant metric queries by time. This also determines how cache keys are chosen when instant metric query result caching is enabled.
Interval to use for time-based splitting when a request is within the query_ingesters_within window; defaults to split-queries-by-interval by setting to 0.
Limit queries that can be sharded. Queries within the time range of now and now minus this sharding lookback are not sharded. The default value of 0s disables the lookback, causing sharding of all queries at all times.
Max number of bytes a query can fetch. Enforced in log and metric queries only when TSDB is used. The default value of 0 disables this limit. Default: 0B.
Max number of bytes a query can fetch after splitting and sharding. Enforced in log and metric queries only when TSDB is used. The default value of 0 disables this limit. Default: 150GB.
Enable log-volume endpoints.
The maximum number of aggregated series in a log-volume response. Default: 1000.
Maximum number of rules per rule group per-tenant. 0 to disable. Default: 0.
Maximum number of rule groups per-tenant. 0 to disable. Default: 0.
The default tenant's shard size when shuffle-sharding is enabled in the ruler. When this setting is specified in the per-tenant overrides, a value of 0 disables shuffle sharding for the tenant. Default: 0.
Disable recording rules remote-write.
Deprecated: Use 'ruler_remote_write_config' instead. The URL of the endpoint to send samples to.
Deprecated: Use 'ruler_remote_write_config' instead. Timeout for requests to the remote write endpoint.
Deprecated: Use 'ruler_remote_write_config' instead. Custom HTTP headers to be sent along with each remote write request. Be aware that headers that are set by Loki itself can't be overwritten.
Deprecated: Use 'ruler_remote_write_config' instead. List of remote write relabel configurations.
Deprecated: Use 'ruler_remote_write_config' instead. Number of samples to buffer per shard before we block reading of more samples from the WAL. It is recommended to have enough capacity in each shard to buffer several requests to keep throughput up while processing occasional slow remote requests.
Deprecated: Use 'ruler_remote_write_config' instead. Minimum number of shards, i.e. amount of concurrency.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum number of shards, i.e. amount of concurrency.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum number of samples per send.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum time a sample will wait in buffer.
Deprecated: Use 'ruler_remote_write_config' instead. Initial retry delay. Gets doubled for every retry.
Deprecated: Use 'ruler_remote_write_config' instead. Maximum retry delay.
Deprecated: Use 'ruler_remote_write_config' instead. Retry upon receiving a 429 status code from the remote-write storage. This is experimental and might change in the future.
Deprecated: Use 'ruler_remote_write_config' instead. Configures AWS's Signature Verification 4 signing process to sign every remote write request.
5 nested properties
Configures global and per-tenant limits for remote write clients. A map with remote client id as key.
Timeout for a remote rule evaluation. Defaults to the value of 'querier.query-timeout'.
Maximum size (in bytes) of the allowable response size from a remote rule evaluation. Set to 0 to allow any response size (default).
Deletion mode. Can be one of 'disabled', 'filter-only', or 'filter-and-delete'. When set to 'filter-only' or 'filter-and-delete', and if retention_enabled is true, then the log entry deletion API endpoints are available.
Retention period to apply to stored data, only applies if retention_enabled is true in the compactor config. As of version 2.8.0, a zero value of 0 or 0s disables retention. In previous releases, Loki did not properly honor a zero value to disable retention and a really large value should be used instead.
Per-stream retention to apply, if the retention is enable on the compactor side. Example: retention_stream:
- selector: '{namespace="dev"}' priority: 1 period: 24h
- selector: '{container="nginx"}' priority: 1 period: 744h Selector is a Prometheus labels matchers that will apply the 'period' retention only if the stream is matching. In case multiple stream are matching, the highest priority will be picked. If no rule is matched the 'retention_period' is used.
Feature renamed to 'runtime configuration', flag deprecated in favor of -runtime-config.file (runtime_config.file in YAML).
Feature renamed to 'runtime configuration'; flag deprecated in favor of -runtime-config.reload-period (runtime_config.period in YAML).
Deprecated: Use deletion_mode per tenant configuration instead.
3 nested properties
Define a list of required selector labels.
Minimum number of label matchers a query should contain.
The shard size defines how many index gateways should be used by a tenant for querying. If the global shard factor is 0, the global shard factor is set to the deprecated -replication-factor for backwards compatibility reasons. Default: 0.
Experimental. The shard size defines how many bloom gateways should be used by a tenant for querying. Default: 0.
Experimental. Whether to use the bloom gateway component in the read path to filter chunks.
Experimental. Interval for computing the cache key in the Bloom Gateway.
Experimental. The shard size defines how many bloom compactors should be used by a tenant when computing blooms. If it's set to 0, shuffle sharding is disabled. Default: 0.
Experimental. Whether to compact chunks into bloom filters.
Experimental. The maximum bloom block size. A value of 0 sets an unlimited size. Default is 200MB. The actual block size might exceed this limit since blooms will be added to blocks until the block exceeds the maximum block size. Default: 200MB.
Experimental. The maximum bloom size per log stream. A log stream whose generated bloom filter exceeds this size will be discarded. A value of 0 sets an unlimited size. Default is 128MB. Default: 128MB.
Experimental. Length of the n-grams created when computing blooms from log lines. Default: 4.
Experimental. Skip factor for the n-grams created when computing blooms from log lines. Default: 1.
Experimental. Scalable Bloom Filter desired false-positive rate. Default: 0.01.
Experimental. Compression algorithm for bloom block pages.
Allow user to send structured metadata in push payload.
Maximum size accepted for structured metadata per log line. Default: 64KB.
Maximum number of structured metadata entries per log line. Default: 128.
OTLP log ingestion configurations
3 nested properties
Configuration for resource attributes to store them as index labels or Structured Metadata or drop them altogether
2 nested properties
Configure whether to ignore the default list of resource attributes set in 'distributor.otlp.default_resource_attributes_as_index_labels' to be stored as index labels and only use the given resource attributes config
Configuration for scope attributes to store them as Structured Metadata or drop them altogether
Configuration for log attributes to store them as Structured Metadata or drop them altogether
Directory to store chunks in.
Name of the node in memberlist cluster. Defaults to hostname.
Add random suffix to the node name.
The timeout for establishing a connection with a remote node, and for read/write operations.
Multiplication factor used when sending out messages (factor * log(N+1)). Default: 4.
How often to use pull/push sync.
How often to gossip.
How many nodes to gossip to. Default: 3.
How long to keep gossiping to dead nodes, to give them chance to refute their death.
How soon can dead node's name be reclaimed with new address. 0 to disable.
Enable message compression. This can be used to reduce bandwidth usage at the cost of slightly more CPU utilization.
Gossip address to advertise to other members in the cluster. Used for NAT traversal.
Gossip port to advertise to other members in the cluster. Used for NAT traversal. Default: 7946.
The cluster label is an optional string to include in outbound packets and gossip streams. Other members in the memberlist cluster will discard any message whose label doesn't match the configured one, unless the 'cluster-label-verification-disabled' configuration option is set to true.
When true, memberlist doesn't verify that inbound packets and gossip streams have the cluster label matching the configured one. This verification should be disabled while rolling out the change to the configured cluster label in a live memberlist cluster.
Other cluster members to join. Can be specified multiple times. It can be an IP, hostname or an entry specified in the DNS Service Discovery format.
Min backoff duration to join other cluster members.
Max backoff duration to join other cluster members.
Max number of retries to join other cluster members. Default: 10.
If this node fails to join memberlist cluster, abort.
If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix the cluster split issue, and is harmless otherwise. For example when using only few components as a seed nodes (via -memberlist.join), then it's recommended to use rejoin. If -memberlist.join points to dynamic service that resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin is not needed.
How long to keep LEFT ingesters in the ring.
Timeout for leaving memberlist cluster.
How much space to use for keeping received and sent messages in memory for troubleshooting (two buffers). 0 to disable. Default: 0.
IP address to listen on for gossip messages. Multiple addresses may be specified. Defaults to 0.0.0.0
Port to listen on for gossip messages. Default: 7946.
Timeout used when connecting to other nodes to send packet.
Timeout for writing 'packet' data.
Enable TLS on the memberlist transport layer.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
Log every new stream created by a push request (very verbose, recommend to enable via runtime config only).
Log every push request (very verbose, recommend to enable via runtime config only).
Log every stream in a push request (very verbose, recommend to enable via runtime config only).
Log push errors with a rate limited logger, will show client push errors without overly spamming logs.
The date of the first day that index buckets should be created. Use a date in the past if this is your only period_config, otherwise use a date when you want the schema to switch over. In YYYY-MM-DD format, for example: 2018-04-15.
store and object_store below affect which <storage_config> key is used. Which index to use. Either tsdb or boltdb-shipper. Following stores are deprecated: aws, aws-dynamo, gcp, gcp-columnkey, bigtable, bigtable-hashed, cassandra, grpc.
Which store to use for the chunks. Either aws (alias s3), azure, gcs, alibabacloud, bos, cos, swift, filesystem, or a named_store (refer to named_stores_config). Following stores are deprecated: aws-dynamo, gcp, gcp-columnkey, bigtable, bigtable-hashed, cassandra, grpc.
The schema version to use, current recommended schema is v13.
Configures how the index is updated and stored.
4 nested properties
Path prefix for index tables. Prefix always needs to end with a path delimiter '/', except when the prefix is empty.
Table prefix for all period tables.
Table period.
A map to be added to all managed tables.
Configured how the chunks are updated and stored.
3 nested properties
Table prefix for all period tables.
Table period.
A map to be added to all managed tables.
How many shards will be created. Only used if schema is v10 or greater. Default: 16.
Maximum duration for which the live tailing requests are served.
Time to wait before sending more than the minimum successful query requests.
Maximum lookback beyond which queries are not sent to ingester. 0 means all queries are sent to ingester.
1 nested properties
The maximum amount of time to look back for log lines. Used only for instant log queries.
The maximum number of queries that can be simultaneously processed by the querier. Default: 4.
Only query the store, and not attempt any ingesters. This is useful for running a standalone querier pool operating only against stored data.
When true, queriers only query the ingesters, and not stored data. This is useful when the object store is unavailable.
When true, allow queries to span multiple tenants.
When true, querier limits sent via a header are enforced.
Mutate incoming queries to align their start and end with their step.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache query results.
Maximum number of retries for a single request; beyond this, the downstream error is returned. Default: 5.
Perform query parallelisations based on storage sharding configuration and query ASTs. This feature is supported only by the chunks storage engine.
A comma-separated list of LogQL vector and range aggregations that should be sharded
Cache index stats query results.
If a cache config is not specified and cache_index_stats_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache volume query results.
If a cache config is not specified and cache_volume_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache instant metric query results.
If a cache config is not specified and cache_instant_metric_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Whether to align the splits of instant metric query with splitByInterval and query's exec time. Useful when instant_metric_cache is enabled
Cache series query results.
If series_results_cache is not configured and cache_series_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Cache label query results.
If label_results_cache is not configured and cache_label_results is true, the config for the results cache is used.
2 nested properties
6 nested properties
The default validity of entries for caches unless overridden.
Use compression in cache. The default is an empty value '', which disables compression. Supported values are: 'snappy' and ''.
Maximum number of outstanding requests per tenant per query-scheduler. In-flight requests above this limit will fail with HTTP response status code 429. Default: 32000.
Maximum number of levels of nesting of hierarchical queues. 0 means that hierarchical queues are disabled. Default: 3.
If a querier disconnects without sending notification about graceful shutdown, the query-scheduler will keep the querier in the tenant's shard until the forget delay has passed. This feature is useful to reduce the blast radius when shuffle-sharding is enabled.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
Set to true to have the query schedulers create and place themselves in a ring. If no frontend_address or scheduler_address are present anywhere else in the configuration, Loki will toggle this value to true.
The hash ring configuration. This option is required only if use_scheduler_ring is true.
13 nested properties
Period at which to heartbeat to the ring. 0 = disabled.
The heartbeat timeout after which compactors are considered unhealthy within the ring. 0 = never (timeout disabled).
File path where tokens are stored. If empty, tokens are not stored at shutdown and restored at startup.
True to enable zone-awareness and replicate blocks across different availability zones.
Instance ID to register in the ring.
Name of network interface to read address from.
Port to advertise in the ring (defaults to server.grpc-listen-port). Default: 0.
IP address to advertise in the ring.
The availability zone where this instance is running. Required if zone-awareness is enabled.
Enable using a IPv6 instance address.
Base URL of the Grafana instance.
Datasource UID for the dashboard.
Labels to add to all alerts.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
3 nested properties
Minimum delay when backing off.
Maximum delay when backing off.
Number of times to backoff and retry before failing. Default: 10.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
How frequently to evaluate rules.
How frequently to poll for rule changes.
Deprecated: Use -ruler-storage. CLI flags and their respective YAML config options instead.
9 nested properties
Method to use for backend rule storage (configdb, azure, gcs, s3, swift, local, bos, cos)
21 nested properties
Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
Azure storage account name.
Azure storage account key.
If connection-string is set, the values of account-name and endpoint-suffix values will not be used. Use this method over account-key if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
Name of the storage account blob container used to store chunks. This container must be created before running cortex.
Azure storage endpoint suffix without schema. The storage account name will be prefixed to this value to create the FQDN.
Use Managed Identity to authenticate to the Azure storage account.
Use Federated Token to authenticate to the Azure storage account.
User assigned identity ID to authenticate to the Azure storage account.
Use Service Principal to authenticate through Azure OAuth.
Azure Service Principal ID(GUID).
Azure Service Principal secret key.
Azure Tenant ID is used to authenticate through Azure OAuth.
Chunk delimiter for blob ID to be used
Preallocated buffer size for downloads. Default: 512000.
Preallocated buffer size for uploads. Default: 256000.
Number of buffers used to used to upload a chunk. Default: 1.
Timeout for requests made against azure blob storage.
Number of retries for a request which times out. Default: 5.
Minimum time to wait before retrying a request.
Maximum time to wait before retrying a request.
4 nested properties
Name of OSS bucket.
oss Endpoint to connect to.
alibabacloud Access Key ID
alibabacloud Secret Access Key
7 nested properties
Name of GCS bucket. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
Service account key content in JSON format, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys for creation.
The size of the buffer that GCS client for each PUT request. 0 to disable buffering. Default: 0.
The duration after which the requests to GCS should be timed out.
Enable OpenCensus (OC) instrumentation for all requests.
Enable HTTP2 connections.
Enable automatic retries of failed idempotent requests.
14 nested properties
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
Configures back off when S3 get Object.
4 nested properties
Name of BOS bucket.
BOS endpoint to connect to.
Baidu Cloud Engine (BCE) Access Key ID.
Baidu Cloud Engine (BCE) Secret Access Key.
19 nested properties
OpenStack Swift authentication API version. 0 to autodetect. Default: 0.
OpenStack Swift authentication URL
Set this to true to use the internal OpenStack Swift endpoint URL
OpenStack Swift username.
OpenStack Swift user's domain name.
OpenStack Swift user's domain ID.
OpenStack Swift user ID.
OpenStack Swift API key.
OpenStack Swift user's domain ID.
OpenStack Swift user's domain name.
OpenStack Swift project ID (v2,v3 auth only).
OpenStack Swift project name (v2,v3 auth only).
ID of the OpenStack Swift project's domain (v3 auth only), only needed if it differs the from user domain.
Name of the OpenStack Swift project's domain (v3 auth only), only needed if it differs from the user domain.
OpenStack Swift Region to use (v2,v3 auth only).
Name of the OpenStack Swift container to put chunks in.
Max retries on requests error. Default: 3.
Time after which a connection attempt is aborted.
Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.
14 nested properties
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over.
COS Endpoint to connect to.
COS region to use.
COS HMAC Access Key ID.
COS HMAC Secret Access Key.
Configures back off when cos get Object.
IAM API key to access COS.
COS service instance id to use.
IAM Auth Endpoint for authentication.
Compute resource token file path.
Name of the trusted profile.
ID of the trusted profile.
Configures backend rule storage for a local file system directory.
1 nested properties
Directory to scan for rules
File path to store temporary rule files.
Comma-separated list of Alertmanager URLs to send notifications to. Each Alertmanager URL is treated as a separate group in the configuration. Multiple Alertmanagers in HA per group can be supported by using DNS resolution via '-ruler.alertmanager-discovery'.
Use DNS SRV records to discover Alertmanager hosts.
How long to wait between refreshing DNS resolutions of Alertmanager hosts.
If enabled requests to Alertmanager will utilize the V2 API.
List of alert relabel configs.
Capacity of the queue for notifications to be sent to the Alertmanager. Default: 10000.
HTTP timeout duration when sending notifications to the Alertmanager.
12 nested properties
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
HTTP Basic authentication username. It overrides the username set in the URL (if any).
HTTP Basic authentication password. It overrides the password set in the URL (if any).
HTTP Header authorization type (default: Bearer).
HTTP Header authorization credentials.
HTTP Header authorization credentials file.
Max time to tolerate outage for restoring "for" state of alert.
Minimum duration between alert and restored "for" state. This is maintained only for alerts with configured "for" time greater than the grace period.
Minimum amount of time to wait before resending an alert to Alertmanager.
Distribute rule evaluation using ring backend.
The sharding strategy to use. Supported values are: default, shuffle-sharding.
The sharding algorithm to use for deciding how rules & groups are sharded. Supported values are: by-group, by-rule.
Time to spend searching for a pending ruler when shutting down.
Ring used by Loki ruler. The CLI flags prefix for this block configuration is 'ruler.ring'.
5 nested properties
Interval between heartbeats sent to the ring. 0 = disabled.
The heartbeat timeout after which ruler ring members are considered unhealthy within the ring. 0 = never (timeout disabled).
Name of network interface to read addresses from.
The number of tokens the lifecycler will generate and put into the ring if it joined without transferring tokens from another lifecycler. Default: 128.
Period with which to attempt to flush rule groups.
Enable the ruler API.
Comma separated list of tenants whose rules this ruler can evaluate. If specified, only these tenants will be handled by ruler, otherwise this ruler can process rules from all tenants. Subject to sharding.
Comma separated list of tenants whose rules this ruler cannot evaluate. If specified, a ruler that would normally pick the specified tenant(s) for processing will ignore them instead. Subject to sharding.
Report the wall time for ruler queries to complete as a per user metric and as an info level log message.
Disable the rule_group label on exported metrics.
4 nested properties
The directory in which to write tenant WAL files. Each tenant will have its own directory one level below this directory.
Frequency with which to run the WAL truncation process.
Minimum age that samples must exist in the WAL before being truncated.
Maximum age that samples must exist in the WAL before being truncated.
2 nested properties
The minimum age of a WAL to consider for cleaning.
How often to run the WAL cleaner. 0 = disabled.
Remote-write configuration to send rule samples to a Prometheus remote-write endpoint.
5 nested properties
Remote-write configuration to send rule samples to a Prometheus remote-write endpoint.
5 nested properties
Remote-write configuration to send rule samples to a Prometheus remote-write endpoint.
Configure remote write clients. A map with remote client id as key.
Enable remote-write functionality.
Minimum period to wait between refreshing remote-write reconfigurations. This should be greater than or equivalent to -limits.per-user-override-period.
Add X-Scope-OrgID header in remote write requests.
Configure remote write clients. A map with remote client id as key.
Enable remote-write functionality.
Minimum period to wait between refreshing remote-write reconfigurations. This should be greater than or equivalent to -limits.per-user-override-period.
Add X-Scope-OrgID header in remote write requests.
Configuration for rule evaluation.
3 nested properties
The evaluation mode for the ruler. Can be either 'local' or 'remote'. If set to 'local', the ruler will evaluate rules locally. If set to 'remote', the ruler will evaluate rules remotely. If unset, the ruler will evaluate rules locally.
Upper bound of random duration to wait before rule evaluation to avoid contention during concurrent execution of rules. Jitter is calculated consistently for a given rule. Set 0 to disable (default).
9 nested properties
GRPC listen address of the query-frontend(s). Must be a DNS address (prefixed with dns:///) to enable client side load balancing.
Set to true if query-frontend connection requires TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
How often to check runtime config files.
Comma separated list of yaml files with the configuration that can be updated at runtime. Runtime config files will be merged from left to right.
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
5 nested properties
Timeout specifies a time limit for requests made by s3 Client.
The maximum amount of time an idle connection will be held open.
If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.
Set to true to skip verifying the certificate chain and hostname.
Path to the trusted CA file that signed the SSL certificate of the S3 endpoint.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
3 nested properties
Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
KMS Key ID used to encrypt objects in S3
KMS Encryption Context used for object encryption. It expects JSON formatted string.
Configures back off when S3 get Object.
3 nested properties
Minimum backoff time when s3 get Object
Maximum backoff time when s3 get Object
Maximum number of times to retry when s3 get Object. Default: 5.
HTTP server listen network, default tcp
HTTP server listen address.
HTTP server listen port. Default: 3100.
Maximum number of simultaneous http connections, <=0 to disable. Default: 0.
gRPC server listen network
gRPC server listen address.
gRPC server listen port. Default: 9095.
Maximum number of simultaneous grpc connections, <=0 to disable. Default: 0.
Comma-separated list of cipher suites to use. If blank, the default Go cipher suites is used.
Minimum TLS version to use. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. If blank, the Go TLS minimum version is used.
7 nested properties
Server TLS certificate. This configuration parameter is YAML only.
Server TLS key. This configuration parameter is YAML only.
Root certificate authority used to verify client certificates. This configuration parameter is YAML only.
HTTP server cert path.
HTTP server key path.
HTTP TLS Client Auth type.
HTTP TLS Client CA path.
7 nested properties
Server TLS certificate. This configuration parameter is YAML only.
Server TLS key. This configuration parameter is YAML only.
Root certificate authority used to verify client certificates. This configuration parameter is YAML only.
GRPC TLS server cert path.
GRPC TLS server key path.
GRPC TLS Client Auth type.
GRPC TLS Client CA path.
Register the instrumentation handlers (/metrics etc).
If set to true, gRPC statuses will be reported in instrumentation labels with their string representations. Otherwise, they will be reported as "error".
Timeout for graceful shutdowns
Read timeout for entire HTTP request, including headers and body.
Read timeout for HTTP request headers. If set to 0, value of -server.http-read-timeout is used.
Write timeout for HTTP server
Idle timeout for HTTP server
Log closed connections that did not receive any response, most likely because client didn't send any request within timeout.
Limit on the size of a gRPC message this server can receive (bytes). Default: 4194304.
Limit on the size of a gRPC message this server can send (bytes). Default: 4194304.
Limit on the number of concurrent streams for gRPC calls per client connection (0 = unlimited). Default: 100.
The duration after which an idle connection should be closed. Default: infinity
The duration for the maximum amount of time a connection may exist before it will be closed. Default: infinity
An additive period after max-connection-age after which the connection will be forcibly closed. Default: infinity
Duration after which a keepalive probe is sent in case of no activity over the connection., Default: 2h
After having pinged for keepalive check, the duration after which an idle connection should be closed, Default: 20s
Minimum amount of time a client should wait before sending a keepalive ping. If client sends keepalive ping more often, server will send GOAWAY and close the connection.
If true, server allows keepalive pings even when there are no active streams(RPCs). If false, and client sends ping when there are no active streams, server will send GOAWAY and close the connection.
If non-zero, configures the amount of GRPC server workers used to serve the requests. Default: 0.
Output log messages in the given format. Valid formats: [logfmt, json]
Only log messages with the given severity or above. Valid levels: [debug, info, warn, error]
Optionally log the source IPs.
Header field storing the source IPs. Only used if server.log-source-ips-enabled is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For headers are used
Regex for matching the source IPs. Only used if server.log-source-ips-enabled is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For headers are used
Optionally log request headers.
Optionally log requests at info level instead of debug level. Applies to request headers as well if server.log-request-headers is enabled.
Comma separated list of headers to exclude from logging. Only used if server.log-request-headers is true.
Base path to serve all API routes from (e.g. /v1/)
4 nested properties
Name of OSS bucket.
oss Endpoint to connect to.
alibabacloud Access Key ID
alibabacloud Secret Access Key
15 nested properties
Deprecated: Configures storing indexes in DynamoDB.
8 nested properties
DynamoDB endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
DynamoDB table management requests per second limit. Default: 2.
DynamoDB rate cap to back off when throttled. Default: 10.
Number of chunks to group together to parallelise fetches (zero to disable). Default: 10.
Max number of chunk-get operations to start in parallel. Default: 32.
KMS key used for encrypting DynamoDB items. DynamoDB will use an Amazon owned KMS key if not provided.
S3 endpoint URL with escaped Key and Secret encoded. If only region is specified as a host, proper endpoint will be deduced. Use inmemory:///
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over. Overrides any buckets specified in s3.url flag
S3 Endpoint to connect to.
AWS region to use.
AWS Access Key ID
AWS Secret Access Key
AWS Session Token
Disable https on s3 connection.
5 nested properties
Timeout specifies a time limit for requests made by s3 Client.
The maximum amount of time an idle connection will be held open.
If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.
Set to true to skip verifying the certificate chain and hostname.
Path to the trusted CA file that signed the SSL certificate of the S3 endpoint.
The signature version to use for authenticating against S3. Supported values are: v4.
The S3 storage class which objects will use. Supported values are: GLACIER, DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, REDUCED_REDUNDANCY, STANDARD, STANDARD_IA.
3 nested properties
Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
KMS Key ID used to encrypt objects in S3
KMS Encryption Context used for object encryption. It expects JSON formatted string.
Configures back off when S3 get Object.
3 nested properties
Minimum backoff time when s3 get Object
Maximum backoff time when s3 get Object
Maximum number of times to retry when s3 get Object. Default: 5.
21 nested properties
Azure Cloud environment. Supported values are: AzureGlobal, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment.
Azure storage account name.
Azure storage account key.
If connection-string is set, the values of account-name and endpoint-suffix values will not be used. Use this method over account-key if you need to authenticate via a SAS token. Or if you use the Azurite emulator.
Name of the storage account blob container used to store chunks. This container must be created before running cortex.
Azure storage endpoint suffix without schema. The storage account name will be prefixed to this value to create the FQDN.
Use Managed Identity to authenticate to the Azure storage account.
Use Federated Token to authenticate to the Azure storage account.
User assigned identity ID to authenticate to the Azure storage account.
Use Service Principal to authenticate through Azure OAuth.
Azure Service Principal ID(GUID).
Azure Service Principal secret key.
Azure Tenant ID is used to authenticate through Azure OAuth.
Chunk delimiter for blob ID to be used
Preallocated buffer size for downloads. Default: 512000.
Preallocated buffer size for uploads. Default: 256000.
Number of buffers used to used to upload a chunk. Default: 1.
Timeout for requests made against azure blob storage.
Number of retries for a request which times out. Default: 5.
Minimum time to wait before retrying a request.
Maximum time to wait before retrying a request.
4 nested properties
Name of BOS bucket.
BOS endpoint to connect to.
Baidu Cloud Engine (BCE) Access Key ID.
Baidu Cloud Engine (BCE) Secret Access Key.
Deprecated: Configures storing indexes in Bigtable. Required fields only required when bigtable is defined in config.
5 nested properties
Bigtable project ID.
Bigtable instance ID. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
20 nested properties
gRPC client max receive message size (bytes). Default: 104857600.
gRPC client max send message size (bytes). Default: 104857600.
Use compression when sending messages. Supported values are: 'gzip', 'snappy' and '' (disable compression)
Rate limit for gRPC client; 0 means disabled. Default: 0.
Rate limit burst for gRPC client. Default: 0.
Enable backoff and retry when we hit rate limits.
Initial stream window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Initial connection window size. Values less than the default are not supported and are ignored. Setting this to a value other than the default disables the BDP estimator. Default: 63KiB1023B.
Enable TLS in the gRPC client. This flag needs to be enabled when any other TLS flag is set. If set to false, insecure connection to gRPC server will be used.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
The maximum amount of time to establish a connection. A value of 0 means default gRPC client connect timeout and backoff.
Initial backoff delay after first connection failure. Only relevant if ConnectTimeout > 0.
Maximum backoff delay when establishing a connection. Only relevant if ConnectTimeout > 0.
If enabled, once a tables info is fetched, it is cached.
Duration to cache tables before checking again.
7 nested properties
Name of GCS bucket. Please refer to https://cloud.google.com/docs/authentication/production for more information about how to configure authentication.
Service account key content in JSON format, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys for creation.
The size of the buffer that GCS client for each PUT request. 0 to disable buffering. Default: 0.
The duration after which the requests to GCS should be timed out.
Enable OpenCensus (OC) instrumentation for all requests.
Enable HTTP2 connections.
Enable automatic retries of failed idempotent requests.
Deprecated: Configures storing chunks and/or the index in Cassandra.
27 nested properties
Comma-separated hostnames or IPs of Cassandra instances.
Port that Cassandra is running on. Default: 9042.
Keyspace to use in Cassandra.
Consistency level for Cassandra.
Replication factor to use in Cassandra. Default: 3.
Instruct the cassandra driver to not attempt to get host info from the system.peers table.
Use SSL when connecting to cassandra instances.
Require SSL certificate validation.
Policy for selecting Cassandra host. Supported values are: round-robin, token-aware.
Path to certificate file to verify the peer.
Path to certificate file used by TLS.
Path to private key file used by TLS.
Enable password authentication when connecting to cassandra.
Username to use when connecting to cassandra.
Password to use when connecting to cassandra.
File containing password to use when connecting to cassandra.
If set, when authenticating with cassandra a custom authenticator will be expected during the handshake. This flag can be set multiple times.
Timeout when connecting to cassandra.
Initial connection timeout, used during initial dial to server.
Interval to retry connecting to cassandra nodes marked as DOWN.
Number of retries to perform on a request. Set to 0 to disable retries. Default: 0.
Maximum time to wait before retrying a failed request.
Minimum time to wait before retrying a failed request.
Limit number of concurrent queries to Cassandra. Set to 0 to disable the limit. Default: 0.
Number of TCP connections per host. Default: 2.
Convict hosts of being down on failure.
Table options used to create index or chunk tables. This value is used as plain text in the table WITH like this, "CREATE TABLE <generated_by_cortex> (...) WITH <cassandra.table-options>". For details, see https://cortexmetrics.io/docs/production/cassandra. By default it will use the default table options of your Cassandra cluster.
Deprecated: Configures storing index in BoltDB. Required fields only required when boltdb is present in the configuration.
1 nested properties
Location of BoltDB index files.
1 nested properties
Directory to store chunks in.
19 nested properties
OpenStack Swift authentication API version. 0 to autodetect. Default: 0.
OpenStack Swift authentication URL
Set this to true to use the internal OpenStack Swift endpoint URL
OpenStack Swift username.
OpenStack Swift user's domain name.
OpenStack Swift user's domain ID.
OpenStack Swift user ID.
OpenStack Swift API key.
OpenStack Swift user's domain ID.
OpenStack Swift user's domain name.
OpenStack Swift project ID (v2,v3 auth only).
OpenStack Swift project name (v2,v3 auth only).
ID of the OpenStack Swift project's domain (v3 auth only), only needed if it differs the from user domain.
Name of the OpenStack Swift project's domain (v3 auth only), only needed if it differs from the user domain.
OpenStack Swift Region to use (v2,v3 auth only).
Name of the OpenStack Swift container to put chunks in.
Max retries on requests error. Default: 3.
Time after which a connection attempt is aborted.
Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.
Deprecated:
1 nested properties
Hostname or IP of the gRPC store instance.
3 nested properties
If set to a non-zero value a second request will be issued at the provided duration. Default is 0 (disabled)
The maximum of hedge requests allowed. Default: 2.
The maximum of hedge requests allowed per seconds. Default: 5.
14 nested properties
Set this to true to force the request to use path-style addressing.
Comma separated list of bucket names to evenly distribute chunks over.
COS Endpoint to connect to.
COS region to use.
COS HMAC Access Key ID.
COS HMAC Secret Access Key.
2 nested properties
The maximum amount of time an idle connection will be held open.
If non-zero, specifies the amount of time to wait for a server's response headers after fully writing the request.
Configures back off when cos get Object.
3 nested properties
Minimum backoff time when cos get Object.
Maximum backoff time when cos get Object.
Maximum number of times to retry when cos get Object. Default: 5.
IAM API key to access COS.
COS service instance id to use.
IAM Auth Endpoint for authentication.
Compute resource token file path.
Name of the trusted profile.
ID of the trusted profile.
Cache validity for active index entries. Should be no higher than -ingester.max-chunk-idle.
4 nested properties
Use storage congestion control (default: disabled).
2 nested properties
Congestion control strategy to use (default: none, options: 'aimd').
2 nested properties
Congestion control retry strategy to use (default: none, options: 'limited').
Maximum number of retries allowed. Default: 2.
2 nested properties
Congestion control hedge strategy to use (default: none, options: 'limited').
Experimental. Sets a constant prefix for all keys inserted into object storage. Example: loki/
6 nested properties
The default validity of entries for caches unless overridden.
3 nested properties
At what concurrency to write back to cache. Default: 1.
How many key batches to buffer for background write-back. Default is large to prefer size based limiting. Default: 500000.
Size limit in bytes for background write-back. Default: 500MB.
3 nested properties
How long keys stay in the memcache.
How many keys to fetch in each batch. Default: 4.
Maximum active requests to memcache. Default: 5.
19 nested properties
Hostname for memcached service to use. If empty and if addresses is unset, no memcached will be used.
SRV service used to discover memcache servers.
Comma separated addresses list in DNS Service Discovery format: https://grafana.com/docs/mimir/latest/configure/about-dns-service-discovery/#supported-discovery-modes
Maximum time to wait before giving up on memcached requests.
Maximum number of idle connections in pool. Default: 16.
The maximum size of an item stored in memcached. Bigger items are not stored. If set to 0, no maximum size is enforced. Default: 0.
Period with which to poll DNS for memcache servers.
Use consistent hashing to distribute to memcache servers.
Trip circuit-breaker after this number of consecutive dial failures (if zero then circuit-breaker is disabled). Default: 10.
Duration circuit-breaker remains open after tripping (if zero then 60 seconds is used).
Reset circuit-breaker counts after this long (if zero then never reset).
Enable connecting to Memcached with TLS.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
13 nested properties
Redis Server or Cluster configuration endpoint to use for caching. A comma-separated list of endpoints for Redis Cluster or Redis Sentinel. If empty, no redis will be used.
Redis Sentinel master name. An empty string for Redis Server or Redis Cluster.
Maximum time to wait before giving up on redis requests.
How long keys stay in the redis.
Database index. Default: 0.
Maximum number of connections in the pool. Default: 0.
Username to use when connecting to redis.
Password to use when connecting to redis.
Enable connecting to redis with TLS.
Skip validating server certificate.
Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.
Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.
By default, the Redis client only reads from the master node. Enabling this option can lower pressure on the master node by randomly routing read-only commands to the master and any available replicas.
4 nested properties
Whether embedded cache is enabled.
Maximum memory size of the cache in MB. Default: 100.
Maximum number of entries in the cache. Default: 0.
The time to live for items in the cache before they get purged.
Disable broad index queries which results in reduced cache usage and faster query performance at the expense of somewhat higher QPS on the index store.
Maximum number of parallel chunk reads. Default: 150.
The maximum number of chunks to fetch per batch. Default: 50.
Configures storing index in an Object Store (GCS/S3/Azure/Swift/COS/Filesystem) in the form of boltdb files. Required fields only required when boltdb-shipper is defined in config.
10 nested properties
Directory where ingesters would write index files which would then be uploaded by shipper to configured storage
Cache location for restoring index files from storage for queries
TTL for index files restored in cache for queries
Resync downloaded files with the storage
Number of days of common index to be kept downloaded for queries. For per tenant index query readiness, use limits overrides config. Default: 0.
3 nested properties
Hostname or IP of the Index Gateway gRPC server running in simple mode. Can also be prefixed with dns+, dnssrv+, or dnssrvnoa+ to resolve a DNS A record with multiple IP's, a DNS SRV record with a followup A record lookup, or a DNS SRV record without a followup A record lookup, respectively.
Whether requests sent to the gateway should be logged or not.
Build per tenant index files
Configures storing index in an Object Store (GCS/S3/Azure/Swift/COS/Filesystem) in a prometheus TSDB-like format. Required fields only required when TSDB is defined in config.
9 nested properties
Directory where ingesters would write index files which would then be uploaded by shipper to configured storage
Cache location for restoring index files from storage for queries
TTL for index files restored in cache for queries
Resync downloaded files with the storage
Number of days of common index to be kept downloaded for queries. For per tenant index query readiness, use limits overrides config. Default: 0.
3 nested properties
Hostname or IP of the Index Gateway gRPC server running in simple mode. Can also be prefixed with dns+, dnssrv+, or dnssrvnoa+ to resolve a DNS A record with multiple IP's, a DNS SRV record with a followup A record lookup, or a DNS SRV record without a followup A record lookup, respectively.
Whether requests sent to the gateway should be logged or not.
Experimental: Configures the bloom shipper component, which contains the store abstraction to fetch bloom filters from and put them to object storage.
5 nested properties
Working directory to store downloaded bloom blocks. Supports multiple directories, separated by comma.
Maximum size of bloom pages that should be queried. Larger pages than this limit are skipped when querying blooms to limit memory usage. Default: 64MiB.
The amount of maximum concurrent bloom blocks downloads. Usually set to 2x number of CPU cores. Default: 8.
3 nested properties
Cache for bloom blocks. Soft limit of the cache in bytes. Exceeding this limit will trigger evictions of least recently used items in the background. Default: 32GiB.
Cache for bloom blocks. Hard limit of the cache in bytes. Exceeding this limit will block execution until soft limit is deceeded. Default: 64GiB.
Cache for bloom blocks. The time to live for items in the cache before they get purged.
6 nested properties
The default validity of entries for caches unless overridden.
OpenStack Swift authentication API version. 0 to autodetect. Default: 0.
OpenStack Swift authentication URL
Set this to true to use the internal OpenStack Swift endpoint URL
OpenStack Swift username.
OpenStack Swift user's domain name.
OpenStack Swift user's domain ID.
OpenStack Swift user ID.
OpenStack Swift API key.
OpenStack Swift user's domain ID.
OpenStack Swift user's domain name.
OpenStack Swift project ID (v2,v3 auth only).
OpenStack Swift project name (v2,v3 auth only).
ID of the OpenStack Swift project's domain (v3 auth only), only needed if it differs the from user domain.
Name of the OpenStack Swift project's domain (v3 auth only), only needed if it differs from the user domain.
OpenStack Swift Region to use (v2,v3 auth only).
Name of the OpenStack Swift container to put chunks in.
Max retries on requests error. Default: 3.
Time after which a connection attempt is aborted.
Time after which an idle request is aborted. The timeout watchdog is reset each time some data is received, so the timeout triggers after X time no data is received on a request.
If true, disable all changes to DB capacity
If true, enables retention deletes of DB tables
Tables older than this retention period are deleted. Must be either 0 (disabled) or a multiple of 24h. When enabled, be aware this setting is destructive to data!
How frequently to poll backend to learn our capacity.
Periodic tables grace period (duration which table will be created/deleted before/after it's needed).
12 nested properties
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table default write throughput. Supported by DynamoDB. Default: 1000.
Table default read throughput. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table write throughput for inactive tables. Supported by DynamoDB. Default: 1.
Table read throughput for inactive tables. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Number of last inactive tables to enable write autoscale. Default: 4.
Number of last inactive tables to enable read autoscale. Default: 4.
12 nested properties
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table default write throughput. Supported by DynamoDB. Default: 1000.
Table default read throughput. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Enables on demand throughput provisioning for the storage provider (if supported). Applies only to tables which are not autoscaled. Supported by DynamoDB
Table write throughput for inactive tables. Supported by DynamoDB. Default: 1.
Table read throughput for inactive tables. Supported by DynamoDB. Default: 300.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
7 nested properties
Should we enable autoscale for the table.
AWS AutoScaling role ARN
DynamoDB minimum provision capacity. Default: 3000.
DynamoDB maximum provision capacity. Default: 6000.
DynamoDB minimum seconds between each autoscale up. Default: 1800.
DynamoDB minimum seconds between each autoscale down. Default: 1800.
DynamoDB target ratio of consumed capacity to provisioned capacity. Default: 80.
Number of last inactive tables to enable write autoscale. Default: 4.
Number of last inactive tables to enable read autoscale. Default: 4.
Path to the client certificate, which will be used for authenticating with the server. Also requires the key path to be configured.
Path to the key for the client certificate. Also requires the client certificate to be configured.
Path to the CA certificates to validate server certificate against. If not set, the host's root CA certificates are used.
Override the expected name on the server certificate.
Skip validating server certificate.
Override the default cipher suite list (separated by commas). Allowed values:
Secure Ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Insecure Ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Override the default minimum TLS version. Allowed values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
Set to false to disable tracing.